Академический Документы
Профессиональный Документы
Культура Документы
CERT Program
http://www.sei.cmu.edu
Copyright 2011 Carnegie Mellon University. This material is based upon work supported by United States Department of Defense under Contract No. FA8721-05-C0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. This report was prepared for the SEI Administrative Agent ESC/XPK 5 Eglin Street Hanscom AFB, MA 01731-2100 NO WARRANTY THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN AS-IS BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. This material has been approved for public release and unlimited distribution except as restricted below. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for internal use is granted, provided the copyright and No Warranty statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu. CERT is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. For information about SEI publications, please visit the library on the SEI website (www.sei.cmu.edu/library).
Table of Contents
Acknowledgments Abstract 1 Introduction 1.1 Process Area Measures 1.2 Information Needs That Drive Resilience Measurement 1.3 Report Overview Top Ten Strategic Measures 2.1 Organizational Objectives 2.2 High-Value Services and Assets 2.3 Controls 2.4 Risks 2.5 Disruptive Events Introduction to the Resilience Measures Future Plans Resilience Measures
iii v 1 2 2 3 4 4 4 5 5 6 7 11 12 71
3 4
Appendix References
CMU/SEI-2011-TR-019| i
CMU/SEI-2011-TR-019| ii
Acknowledgments
The authors would like to thank the reviewers of this report for their thoughtful and valuable comments. Reviewers are members of the CERT Resilient Enterprise Management Team.
Rich Caralli Jim Cebula John Haller Sam Merrell Kevin Partridge Barbara Tyson David White Lisa Young
The authors would also like to thank Noopur Davis of Davis Systems for her review comments. Noopur regularly contributes to REM team measurement work and is the co-author of Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010].
CMU/SEI-2011-TR-019| iii
CMU/SEI-2011-TR-019| iv
Abstract
How resilient is my organization? Have our processes made us more resilient? Members of the CERT Resilient Enterprise Management (REM) team are conducting research to address these and other related questions. The teams first report, Measuring Operational Resilience Using the CERT Resilience Management Model, defined high-level objectives for managing an operational resilience management (ORM) system, demonstrated how to derive meaningful measures from those objectives, and presented a template for defining resilience measures, along with example measures. In this report, REM team members suggest a set of top ten strategic measures for managing operational resilience. These measures derive from high-level objectives of the ORM system defined in the CERT Resilience Management Model, Version 1.1 (CERT-RMM). The report also provides measures for each of the 26 process areas of CERT-RMM, as well as a set of global measures that apply to all process areas. This report thus serves as an addendum to CERT-RMM Version 1.1. Since CERT-RMM practices map to bodies of knowledge and codes of practice such as ITIL, COBIT, ISO2700x, BS25999, and PCI DSS, the measures may be useful for measuring security, business continuity, and IT operations management processes, either as part of adoption of CERTRMM or independent of it.
CMU/SEI-2011-TR-019| v
CMU/SEI-2011-TR-019| vi
1 Introduction
The purpose of this technical report is to present operational resilience measures developed through ongoing research that was first reported in Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010]. CERT-RMM1 version 1.1 defines operational resilience as the organizations ability to adapt to risk that affects its core operational capacities. Operational resilience is an emergent property of effective operational risk management [Caralli 2011]. Operational risk management is supported and enabled by the disciplines of security, business continuity, and some aspects of IT operations. CERT-RMM provides a process view of resilience by describing the practices of these disciplines as part of larger enterprise processes. A process can be defined, communicated, and controlled. The desired goals and outcomes of the process can be identified, success in reaching those goals and outcomes can be measured, and gaps can be identified and addressed. Operational resilience supports the ability of services and their associated assets (information, technology such as systems and software, facilities, and people) to achieve their mission. An operationally resilient service is a service that can meet its mission under times of disruption or stress and can return to normalcy when the disruption2 or stress is eliminated. A service is not resilient if it cannot return to normalcy after being disrupted, even if it can temporarily withstand adverse circumstances. Resilience objectives for services and assets are achieved through an operational resilience management (ORM) system. An ORM system includes all of the processes necessary to manage operational resilience, along with their associated and supporting plans, programs, procedures, practices, and people. In our first report, we defined high-level objectives for managing an ORM system and demonstrated how to derive meaningful measures from those objectives. For example, one high-level objective identified was, Demonstrate that the ORM system sustains high-value services and associated assets during and following a disruptive event. One measure defined for that objective was, For disrupted high-value services with a service continuity plan, percentage of services that delivered service as intended throughout the disruptive event [Allen 2010]. Linking to high-level objectives can help establish measurement priorities at the enterprise level. Some strategic measures provide meaningful information for business decision making, and many can be used to guide the day-to-day operational resilience of services and their associated assets. In Chapter 2 of this report, we take another look at deriving measures from high-level objectives to suggest a list of the top ten strategic measures for managing operational resilience.
CERT is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. Disruption in this definition applies to a disturbance that does not exceed the services operational limit. A catastrophic loss of infrastructure would not be considered a disruption.
CMU/SEI-2011-TR-019 | 1
1.1 Process Area Measures The bulk of this report, however, focuses on measurement priorities for each of the 26 CERTRMM process areas (PAs).3 These measures were derived from the specific practices and subpractices of the PAs and are intended to measure either the extent of the practices implementation or their effectiveness in improving operational resilience. Some of the measures appear in simple list form in Generic Goal 2, Generic Practice 8 (GG2.GP8), Monitor and Control the Process, in their respective PAs in Version 1.1 of the model, and they are updated and expanded in this report. Other measures are new as of this report. They are process measure examples for GG2.GP8 subpractice 2, Review accomplishments and results of the process against the plan for performing the process.4 The generic goals and practices in the model are those that apply to every PA; thus every PA has a GG2.GP8, but the measure examples are specific to each PA. The generic goals and practices in CERT-RMM are indicators of progressive levels of capability. Generic goal 1 in any PA relates to achieving performance of the specific practices of that PA (capability level 1). Generic goal 2 assumes that the specific practices are being performed and provides guidance for higher capability practices such as planning the process and measuring performance against the plan. For those who are using the model, the measures can be used to help achieve capability level 2 in any given PA. For those who are not using the model, the measures can be useful for measuring security, business continuity, and IT operations management processes because CERT-RMM practices map to bodies of knowledge and codes of practice such as ITIL, COBIT, ISO2700x, BS25999, and PCI DSS. We expect many of these tactical measures at the PA level will be combined to inform more strategic measures, which will in turn demonstrate the extent to which operational resilience objectives are (or are not) being met. So there is a need for both types of measures. 1.2 Information Needs That Drive Resilience Measurement The measures in this report result from research by the authors and other CERT Program staff members at the SEI to assist business leaders in addressing key questions they may be asked (or may ask themselves). The measures inform the answers to these questions: How resilient is my organization?
Some further interpretations of these questions might include the following: Do I need to worry about operational resilience?
3
A process area is a cluster of related practices in an area that, when implemented collectively, satisfies a set of goals considered essential for that area. For example, the goals of the CERT-RMM People Management PA are Establish Vital Staff, Manage Risks Associated with Staff Availability, and Manage the Availability of Staff. Although the authors have attempted to be thorough in developing useful measures related to the CERT-RMM PAs, there may be other measures that will be meaningful for your organization. Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010] provides guidance and a template for developing resilience measures.
CMU/SEI-2011-TR-019 | 2
If my services are disrupted, will it make the news? Will I end up in court? In jail? Will I be able to stay in business? Do I meet compliance requirements? How resilient am I compared to my competition? Do I need to spend more on resilience? If so, on what? What am I getting for what Ive already spent? What is the business value of being more resilient?
The key questions being addressed by this research project include What should I be measuring to determine if I am achieving my performance objectives for operational resilience?
Have our processes made us more resilient? Given that measurement is expensive, how can I identify measures that will most effectively inform decisions and affect behavior?
1.3 Report Overview As mentioned above, Chapter 2 of this technical report introduces a set of top ten strategic measures that have been derived from the objectives for operational resilience in Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010]. These measures have received positive feedback at several conferences. We will continue to update and refine these measures as the basis for additional measures that provide a top-down view. The Appendix of this report updates all process implementation and effectiveness measures listed in Generic Goal 2, Generic Practice 8 (GG2.GP8), Monitor and Control the Process, in each of the 26 PAs of CERT-RMM v1.1. These process implementation and effectiveness measures provide a bottom-up, tactical view. The purpose of this update is to improve completeness (with respect to covering the specific goals and practices in CERT-RMM v1.1), consistency, and clarity. In addition, the report adds a new set of global measures that apply to all PAs. These global measures have been deleted from each of the individual PAs. The tables presented in this report serve as updates and an addendum to CERT-RMM v1.1 and replace corresponding elaboration tables in GG2.GP8 subpractice 2 for each PA. Some of the measures use concepts and terminology from the model. Please refer to the glossary and relevant PA sections in CERT-RMM ([Caralli 2011] or www.cert.org/resilience/rmm.html) for clarification as needed.
CMU/SEI-2011-TR-019 | 3
Operational resilience strategic measures help ensure that any measurement of operational resilience directly supports the achievement of business objectives. One of the many pitfalls of unsuccessful measurement programs is collecting, analyzing, and reporting data that does not contribute to informing decisions or changing behavior. Often measurement programs collect and report measures of type count (such as number of incidents, number of systems with patches installed, number of people trained) with little meaningful context for how these measures will be used.5 By having a set of strategic measures, we can map those measures to the most useful measures at the individual PA level and develop criteria to determine which PA-level measures best address the questions posed in the Introduction. In addition, measurement can be expensive, and organizations should be judicious in selecting measures that form the foundation of their measurement program. The strategic objectives for an ORM system are described in the next five sections. Each is currently supported by two measures. For further details, refer to Section 2.3 of Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010]. 2.1 Organizational Objectives Objective: The ORM system derives its authority from and directly traces to organizational drivers. Organizational drivers include strategic objectives and critical success factors (refer to the Enterprise Focus process area [Caralli 2011]). An alternative way of stating this might be The ORM system derives its authority from a directive given by a senior, high-level executive. This could be considered one form of organizational driver. Measure 1: Percentage of resilience activities that do not directly (or indirectly) support one or more organizational objectives. An activity can be a project, task, performance objective, or investment, and represents some meaningful decomposition of the resilience program. Measure 2: For each resilience activity, number of organizational objectives that require it to be satisfied (goal is = or > 1) Supporting measures that address the relationship between organizational objectives and resilience are contained in the Appendix table for Enterprise Focus (EF). 2.2 High-Value Services and Assets Objective: The ORM system satisfies resilience requirements that are assigned to high-value services and their associated assets. An alternative way of stating this might be The ORM system satisfies governance, compliance, policy, framework, assessment, and reporting requirements. These could all be considered expressions of enterprise resilience requirements.
While readers of this report will see measures of this type in the Appendix, they are presented in the context of one or more process areas and are often used as the basis for calculating derived measures.
CMU/SEI-2011-TR-019 | 4
Measure 3: Percentage of high-value services that do not satisfy their assigned resilience requirements. (Operational resilience requirements are a derivation of the traditionally described security objectives of confidentiality, availability, and integrity. They may also include privacy requirements.) A companion measure would be to measure a specific service of interest, ensuring that criteria for selecting such a service are defined. Measure 4: Percentage of high-value assets (information, technology, facilities, and people) that do not satisfy their assigned resilience requirements. Examples of assets are network infrastructure, a specific application, a database, a data center, and a lead system administrator. Supporting measures that address resilience requirements for services are contained in the Appendix table for EF. Supporting measures that address resilience requirements for assets are contained in the following Appendix tables by asset type: Asset Definition and Management (ADM) general
Environmental Control (EC) facilities Knowledge Information and Management (KIM) information People Management (PM) people Technology Management (TM) technology
2.3 Controls Objective: Via the internal control system,6 the ORM system ensures that controls for protecting and sustaining high-value services and their associated assets operate as intended. Measure 5: Percentage of high-value services with controls that are ineffective or inadequate. This may include unsatisfied control objectives, unmet resilience requirements, missing controls, and outstanding assessment and audit problems above threshold without remediation plans. Measure 6: Percentage of high-value assets with controls that are ineffective or inadequate Supporting measures that address controls in general are contained in the Appendix table for Controls Management (CTRL). Supporting measures that address controls for assets are contained in the Appendix tables by asset type as noted in Section 2.2, Measure 4. 2.4 Risks Objective: The ORM system manages operational risks to high-value assets that could adversely affect the operation and delivery of high-value services. Measure 7: Confidence factor that risks from all sources that need to be identified have been identified. A detailed template for this measure appears in Section 4.1.1 of Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010]. Measure 8: Percentage of risks with impact above threshold. This should include risks without mitigation plans, risks that are not effectively mitigated by their mitigation plans, and risks that have not been reviewed in the required time frame.
6
The internal control system includes the methods, policies, and procedures used to protect and sustain assets at a level commensurate with their role in supporting high-value services.
CMU/SEI-2011-TR-019 | 5
Supporting measures that address risks in general are contained in the Appendix table for Risk Management (RISK). Supporting measures that address risks for assets are contained in the Appendix tables by asset type as noted in Section 2.2, Measure 4. 2.5 Disruptive Events Objective: In the face of realized risk, the ORM system ensures the continuity of essential operations of high-value services and their associated assets. Realized risk may include an incident, a break in service continuity, or a man-made or natural disaster or crisis. Measure 9: Probability of delivered service through a disruptive event Measure 10: For disrupted, high-value services with a service continuity plan, percentage of services that did not deliver service as intended throughout the disruptive event Consider using near misses and incidents avoided as predictors of successful disruptions in the future. Supporting measures that address service continuity are contained in the Appendix table for Service Continuity (SC). Supporting measures that address incident management are contained in the Appendix table for Incident Management and Control (IMC).
CMU/SEI-2011-TR-019 | 6
The following process was used to generate the tables of resilience measures presented in the Appendix: 1. Starting with existing GG2.GP8 subpractice 2 process area measures for each PA in CERTRMM v1.1, the type of information that each measure addresses was designated (see the Column 3 description below). Measures were then ordered in a logical progression by type of information. 2. 3. The new Measure Type and Base or Derived columns (Columns 4 and 5, respectively) were populated for each existing measure. The PA specific goals and specific practices were carefully reviewed, and measures were added, corrected, combined, or eliminated, as needed. Each measure was mapped to the specific goal(s) and practice(s) that it informs (Column 6). All measures were edited for clarity and consistency and to eliminate redundancy, separate compound measures, and eliminate measures of insufficient information value. Measures that are global in nature were identified (that is, ones that apply to all PAs). A new table of global measures was created, and the global measures were deleted from the tables of PA-specific measures. Global measures were defined for the generic goals and practices that accompany each process area. All measures tables were reviewed by at least two reviewers.
4. 5.
6.
This process was started for three process areas in Measuring Operational Resilience Using the CERT Resilience Management Model, specifically Knowledge and Information Management (KIM), Incident Management and Control (IMC), and Risk Management (RISK). Refer to Section 4.1 of that document for information on these three process areas in the context of selected CERTRMM ecosystems (a collection of process areas, relationships, goals, and practices that contribute to a specific objective, such as the management of risk). Each table is organized as follows (refer to the Appendix): Column 1: ID The ID field is a unique, sequential identifier that is assigned to each measure. We organized measures in a logical progression, which often matches the order of the specific goals and practices for the specific PA. The Column 3 entry typically determines the order of the measures. Column 2: Measure This field contains the measure or, in some cases, a set of related measures. Column 3: Type of Information The intent of this field is to identify several standard types of information within each PA that the measure informs. These may be CERT-RMM work products (such as asset inventory and asset controls) or activities (such as change management and obligation satisfaction). Type of informa-
CMU/SEI-2011-TR-019 | 7
tion entries support some level of affinity grouping of related measures and may be used in the future to reduce or aggregate related measures. Column 4: Measure Type Measures can be one of three types: Implementation measures answer the question, Is this process, activity, or practice being performed? Such measures provide no information regarding the contribution (or lack thereof) that the activity is making to improved operational resilience. The measures presented in this report are predominantly implementation measures. This is as expected for this stage of our research project, given that such measures describe an organizations behavior as it is starting to improve its operational resilience management processes (referred to in CERT-RMM as capability levels 1 and 2).
Effectiveness measures answer the questions, How good is the work product or outcome of the process, activity, or practice? Does it achieve the intended result? Effectiveness measures are typically of much greater interest than implementation ones. Many of them derive from one or more implementation measures. Process performance measures answer the questions, Is the process performing as expected? Is it efficient? Can it be planned? Is it predictive? Is it in control? There are only a few process performance measures described in this report. This is as expected for this stage of our research project, given that organizations focus on institutionalizing defined processes at a later stage of their resilience improvement activities (referred to in CERT-RMM as capability level 3).
On occasion, the Measure Type field states implementation, possibly effectiveness. Such measures may be potential candidates for effectiveness measures but require additional interpretation and analysis. For further details on these definitions, refer to Section 3.1.3 of Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010]. Column 5: Base or Derived This field indicates whether the measure is a base measure or a derived measure, defined as follows: A base measure is a directly observable attribute of an asset, service, or resilience process. A measure quantifies an attribute; a persons height can be measured in feet and inches, service response time can be measured in seconds or minutes, and process elapsed time can be measured in days or months. A base measure is thus defined by fundamental units that are not composed of any other units and is functionally independent of other measures. Base measures can be one of four types: count, cost or effort, schedule, or defects. Most of the base measures presented in the tables are of type count (number of) or of type schedule (elapsed time since or total calendar time).
A derived measure is a mathematical function of two or more base and/or derived measures. Examples of resilience derived measures are percentage of incidents that exploited existing vulnerabilities with known solutions, patches, or workarounds; percentage of information as-
CMU/SEI-2011-TR-019 | 8
sets without assigned resilience requirements; and change in number of identified risks that exceed risk parameters. For further details on these definitions, refer to Section 3.1 of Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010]. Column 6: Applicable SG.SP This field contains the mapping of the measure to applicable CERT-RMM specific goals and practices. The identified SGs and SPs served as the source for the measure. Occasionally the field entry states none. This indicates a measure that derives from another source (such as a CERTRMM appraisal) and is not specifically called for in the model. While the tables are presented in alphabetical order by PA acronym, measures were often developed across related sets of PAs that share common specific goals and practices. Three noteworthy clusters of PAs are the asset cluster, the risk cluster, and the controls cluster. Readers of the measures contained in these tables will see commonality and repetition of certain measures. While repetition adds to the effort to maintain measures tables, we want to ensure that each table stands alone to the greatest extent possible (without having to draw upon measures in other PA tables). These clusters include the following process areas:
Asset cluster: This cluster includes the following related process areas for the identification and management of assets:
ADM: Asset Definition and Management EC: Environmental Control KIM: Knowledge and Information Management PM: People Management TM: Technology Management
A number of measures that appear in ADM are repeated in EC, KIM, PM, and TM, qualified by asset type (facilities, information, people, and technology, respectively).
Risk cluster: This cluster includes the following related process areas for the identification and management of risks to assets:
RISK: Risk Management EC: Environmental Control KIM: Knowledge and Information Management PM: People Management TM: Technology Management
This cluster also includes the External Dependencies (EXD) PA for the identification and management of risks to external entities and external dependencies. A number of measures that appear in RISK are repeated in EC, KIM, PM, and TM as well as EXD.
Controls cluster: This cluster includes the following related process areas for the identification and management of controls for assets:
CMU/SEI-2011-TR-019 | 9
EC: Environmental Control KIM: Knowledge and Information Management PM: People Management TM: Technology Management
A number of measures that appear in CTRL are repeated in EC, KIM, PM, and TM, qualified by asset type (facilities, information, people, and technology, respectively). All measures are intended to be repeatedly collected and reported over time. Often changes in measures from one reporting period to the next and trends over time are of greatest interest. Thus, readers will not see specific references to time durations or periods of time in these measures other than the occasional use of elapsed time.
CMU/SEI-2011-TR-019 | 10
4 Future Plans
This research project will continue through FY12 (October 2011 through September 2012). Future plans include populating a database with all of the measures identified in this report. Through use of this database, measures can be easily maintained and mapped to other CERT-RMM artifacts such as specific goals and practices and CERT-RMM Compass questions.7 The research team will perform the following tasks to identify additional measures and updates to existing measures: Review CERT-RMM appraisal results, Compass review results, and results of other CERTRMM assessment efforts.
Develop an approach (and templates) for defining CERT-RMM processes at the implementation level and use these process definitions to define additional measures. Perform a review and analysis of all measures of measure type effectiveness to identify gaps. Identify which process area measures provide information supporting the top ten strategic measures. Identify criteria for prioritizing process measures based on strategic measures. Obtain guidance and feedback from members of the CERT-RMM Users Group.
The team will also develop additional measures templates for key measures (refer to Section 3.3 of Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010]). The authors of this report welcome your comments and feedback. We can be contacted at jha@cert.org and pdc@cert.org.
http://www.cert.org/resilience/rmm_compass.html
CMU/SEI-2011-TR-019 | 11
Appendix
Resilience Measures
The table of global measures that applies to all process areas appears first. It is following by 26 tables of process-area-specific measures. Each table of measures is preceded by the name of the process area, its purpose, and a summary of its specific goals and practices. This content is taken directly from the CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience [Caralli 2011]. Global Measures Organizations deploy generic goals and practices to attain successively improving degrees of process institutionalization and capability maturity for operational resilience management. These practices exhibit the organizations commitment and ability to perform operational resilience management processes, as well as its ability to measure performance and verify implementation.
Summary of Generic Practices for Generic Goal 2 Institutionalize a Managed Process
GG2.GP1 Establish Process Governance GG2.GP2 Plan the Process GG2.GP3 Provide Resources GG2.GP4 Assign Responsibility GG2.GP5 Train People GG2.GP6 Manage Work Product Configurations GG2.GP7 Identify and Involve Relevant Stakeholders GG2.GP8 Monitor and Control the Process GG2.GP9 Objectively Evaluate Adherence GG2.GP10 Review Status with Higher-Level Managers
Measures
ID G-M1 Measure percentage of higher-level managers who have documented resilience objectives that are reviewed as part of the normal performance review process elapsed time since resilience-related compliance obligations were reviewed by higherlevel managers elapsed time since resilience-related controls in the context of the organizations internal control system were reviewed by higher-level managers elapsed time since higher-level managers reviewed the priorities of services and associated assets and provided updated guidance Type of Information governance Measure Type impl Base or Derived derived Applicable GG.GP GG2.GP1 GG2.GP8
G-M2
governance
impl
derived
G-M3
governance; status
impl
derived
G-M4
governance; status
impl
derived
CMU/SEI-2011-TR-019 | 12
ID G-M5
Measure elapsed time since audit reports on resiliencerelated controls in the context of the organizations internal control system were reviewed by appropriate committees elapsed time since higher-level managers reviewed the performance and effectiveness of the operational resilience management system and its processes and provided any necessary course correction percentage of policies9 that are met (no violations, all exceptions approved) percentage of policies (and/or procedures) that require updates to reflect CERT-RMM process area goals and practices percentage of CERT-RMM practices (based on a specific model scope10) that are required as a result of policies (and/or procedures) number of policy violations, aggregate and by policy percentage of policy exceptions approved, aggregate and by policy percentage of process activities that are on track per plan difference in planned versus actual schedule to perform the process percentage of process activities approved but not implemented (due to, for example, schedule and resource constraints) number of scope changes to process activities
G-M6
governance; status
impl
derived
G-M78 G-M8
policy policy
impl impl
derived derived
GG2.GP1 GG2.GP8 GG2.GP1 GG2.GP8 GG2.GP1 GG2.GP8 GG2.GP1 GG2.GP8 GG2.GP1 GG2.GP8 GG2.GP2 GG2.GP8 GG2.GP2 GG2.GP8 GG2.GP2 GG2.GP8 GG2.GP2 GG2.GP8 GG2.GP3 GG2.GP8 GG2.GP3 GG2.GP8 GG2.GP3 GG2.GP8 GG2.GP3 GG2.GP8 GG2.GP3 GG2.GP8 GG2.GP3 GG2.GP8
G-M9
policy
impl
derived
policy policy process plan; process activities process plan; process activities process plan; process activities process plan; process activities process plan; resources process plan; resources process plan; resources process plan; resources process plan; resources process plan; resources
G-M13
derived
G-M14
derived
G-M15
impl
G-M16
change in resource needs to support the process percentage of process activities for which funds have been allocated as planned percentage of process activities for which staff have been allocated as planned difference in planned versus actual staff trained to perform the process cost to support the process
impl; possibly effectiveness impl impl impl; possibly process performance impl; possibly effectiveness impl; possibly process performance
G-M20
derived
G-M21
derived
Measures referring to other types of policies specific to a PA are included in the PA measures table. Policies as used here refer to new and updated organizational policies that reflect the intent of CERT-RMM process areas goals and practices. Organizations are able to select specific goals (SGs) and specific practices (SPs) from CERT-RMM that support their organizational resilience objectives.
10
CMU/SEI-2011-TR-019 | 13
ID G-M22
Measure percentage of process activities that do not have the necessary methods, techniques, and tools to support them percentage of process tasks where responsibility and authority for performing them is not assigned percentage of staff who have been assessed to determine if training has been effective11 commensurate with their job responsibilities (duplicated from OTA; effectiveness) difference in planned versus actual designated work products that are subject to configuration control difference in planned versus actual stakeholders involved in the process percentage of processes whose performance against plan is measured difference in planned versus actual process performance percentage of significant deviations from the process plan without corrective actions
G-M23
responsibilities training
impl
derived
G-M24
effectiveness
derived
G-M25
controlled work products stakeholders process performance process performance process performance; plan deviations process performance; plan deviations process performance; process problems process performance; process problems risk risk
impl
derived
GG2.GP6 GG2.GP8 GG2.GP7 GG2.GP8 GG2.GP8 GG2.GP9 GG2.GP8 GG2.GP9 GG2.GP8 GG2.GP9
G-M30
percentage of significant deviations from the process plan with corrective actions that are on track per plan percentage of process problems (performance, execution) without corrective actions
impl
derived
GG2.GP8 GG2.GP9
G-M31
impl
derived
GG2.GP8 GG2.GP9
G-M32
percentage of process problems with corrective actions that are on track per plan
impl
derived
GG2.GP8 GG2.GP9
G-M33 G-M34
number of process risks referred to the risk management process number of asset risks referred to the risk management process (applicable to ADM, EC, KIM, PM, TM) number of process risks referred to the risk management process for which corrective action is pending (by risk rank) beyond threshold (schedule) extent to which resilience12 is improved as a result of taking action on CERT-RMM diagnostic results13 as measured by, for example, a reduction in impact and consequences due to a disruptive event such as a security incident
impl impl
GG2.GP8 GG2.GP8
G-M35
risk
impl
GG2.GP8 GG2.GP10
G-M36
resilience improvement
effectiveness
derived
11
OTA:SG4.SP3 provides several approaches for assessing training effectiveness. This measure could apply to all 26 process areas, a selected set of process areas, or a targeted area of resilience improvement (such as selected specific goals and practices within the model scope for the diagnosis). Diagnostic results include the outcomes of CERT-RMM appraisals, Compass, or other forms of diagnosis. This measure could be stated as implementing CERT-RMM process areas, specific goals, and specific practices.
12
13
CMU/SEI-2011-TR-019 | 14
Asset Definition and Management (ADM) The purpose of Asset Definition and Management is to identify, document, and manage organizational assets during their life cycle to ensure sustained productivity to support organizational services.
Summary of Specific Goals and Practices
ADM:SG1 Establish Organizational Assets ADM:SG1.SP1 Inventory Assets ADM:SG1.SP2 Establish a Common Understanding ADM:SG1.SP3 Establish Ownership and Custodianship ADM:SG2 Establish the Relationship Between Assets and Services ADM:SG2.SP1 Associate Assets with Services ADM:SG2.SP2 Analyze Asset-Service Dependencies ADM:SG3 Manage Assets ADM:SG3.SP1 Identify Change Criteria ADM:SG3.SP2 Maintain Changes to Assets and Inventory
Measures
ID14 ADMM1 ADMM2 ADMM3 ADMM4 ADMM5 ADMM6 ADMM7 ADMM8 ADMM9 ADMM10 Measure percentage of assets15 that have been inventoried percentage of assets with/without a complete asset profile percentage of assets with/without a designated owner percentage of assets with/without a designated custodian (if applicable) percentage of assets that have designated owners but no custodians (if applicable) percentage of assets that have designated custodians but no owners percentage of assets that have been inventoried, by service percentage of assets that are not associated with one or more services elapsed time since the asset inventory was reviewed percentage of asset-service dependency conflicts with unimplemented or incomplete mitigation plans Type of Information asset inventory asset inventory asset inventory asset inventory asset inventory asset inventory asset inventory asset inventory asset inventory asset-service dependencies Measure Type impl impl impl impl impl impl impl Base or Derived derived derived derived derived derived derived derived Applicable SG.SP ADM:SG1.SP1 ADM:SG1.SP2 ADM:SG1.SP3 ADM:SG1.SP3 ADM:SG1.SP3 ADM:SG1.SP3 ADM:SG2.SP1
impl
derived
ADM:SG2.SP1
impl
impl
14
The ID value is assigned based on the order in which the measure appears in CERT-RMM v1.1. Measures have been reordered here by the type of information. All references to assets and services in ADM and in all other PAs refer to high-value assets and high-value services. This qualifier applies throughout and is not included for ease of reading.
15
CMU/SEI-2011-TR-019 | 15
Measure percentage of asset-service dependency conflicts with no mitigation plans number of discrepancies between the current inventory and the previous inventory number of changes made to asset profiles in the asset inventory number of changes to resilience requirements as a result of asset changes number of changes to service continuity plans as a result of asset changes
Type of Information asset-service dependencies asset change management asset change management asset change management asset change management
impl
base of type count base of type count base of type count base of type count
ADM:SG3.SP1
impl
ADM:SG3.SP2
impl
ADM:SG3.SP2
impl
ADM:SG3.SP2
Access Management (AM) The purpose of Access Management is to ensure that access granted to organizational assets is commensurate with their business and resilience requirements.
Summary of Specific Goals and Practices
AM:SG1 Manage and Control Access AM:SG1.SP1 Enable Access AM:SG1.SP2 Manage Changes to Access Privileges AM:SG1.SP3 Periodically Review and Maintain Access Privileges AM:SG1.SP4 Correct Inconsistencies
Measures
ID AM-M1 Measure percentage of asset owners participating in establishing and maintaining access privileges for the assets that they own percentage of access requests that adhere to the access control policy percentage of access acknowledgement forms that have been fully executed percentage of access requests denied (based on policy) percentage of approved access requests pending implementation beyond schedule number of duplicate access requests percentage of unapproved access requests that result in allowing access privileges (this should be zero) percentage of access requests that do not reflect the requestors role or job responsibilities (inadequate, excessive) Type of Information access privileges access policy access policy access requests access requests access requests access requests access requests Measure Type impl Base or Derived derived Applicable SG.SP AM:SG1.SP1
AM-M8
derived
AM:SG1.SP1
CMU/SEI-2011-TR-019 | 16
ID AM-M9
Measure percentage of access privileges that are determined to be excessive or inappropriate based on the identitys role or job responsibilities elapsed time since access privileges were reviewed to ensure they reflect privileges assigned by the asset owner rate of requests to change access privileges percentage of access privilege change requests approved/denied percentage of corrective actions to address excessive or inappropriate levels of access privileges pending beyond schedule elapsed time from a change in access privileges requiring deprovisioning to the actual deprovisioning (mean, median) number of risks related to inappropriate or excessive levels of access privileges that have been referred to the risk management process
access privileges access privileges access privileges access privileges deprovisioning risk identification
impl
AM:SG1.SP3
effectiveness impl
derived
Communications (COMM) The purpose of Communications is to develop, deploy, and manage internal and external communications to support resilience activities and processes.
Summary of Specific Goals and Practices
COMM:SG1 Prepare for Resilience Communications COMM:SG1.SP1 Identify Relevant Stakeholders COMM:SG1.SP2 Identify Communications Requirements COMM:SG1.SP3 Establish Communications Guidelines and Standards COMM:SG2 Prepare for Communications Management COMM:SG2.SP1 Establish a Resilience Communications Plan COMM:SG2.SP2 Establish a Resilience Communications Program COMM:SG2.SP3 Identify and Assign Plan Staff COMM:SG3 Deliver Resilience Communications COMM:SG3.SP1 Identify Communications Methods and Channels COMM:SG3.SP2 Establish and Maintain Communications Infrastructure COMM:SG4 Improve Communications COMM:SG4.SP1 Assess Communications Effectiveness COMM:SG4.SP2 Improve Communications
CMU/SEI-2011-TR-019 | 17
Measures
ID COMMM1 COMMM2 COMMM3 Measure confidence factor16 that all stakeholders with a vested interest or vital role in resilience communications have been identified percentage of communications stakeholders for which roles have/have not been defined percentage of communications stakeholders for which stakeholder needs (types, frequencies, and levels of communication by specific circumstance) have/have not been defined percentage of communications stakeholders for which resilience communications and requirements have/have not been defined percentage of resilience communications requirements that cannot be met (by some meaningful categorization such as missing, inadequate, or untrained staff; missing or inadequate tools, techniques, methods, etc. a.k.a. infrastructure) percentage of communications plan roles not covered in job descriptions percentage of stakeholders (by type) for which communications methods and channels have/have not been identified Type of Information communications stakeholders communications stakeholders communications stakeholders Measure Type impl Base or Derived derived Applicable SG.SP COMM:SG1. SP1 COMM:SG1. SP1 COMM:SG1. SP1
impl impl
derived derived
COMMM4
impl
derived
COMM:SG1. SP2
COMMM5
impl
derived
COMM:SG1. SP2 COMM:SG2. SP3 COMM:SG3. SP2 COMM:SG2. SP3 COMM:SG3. SP1
COMMM6 COMMM7
communications staff communications stakeholders; communications methods and channels communications methods and channels communications methods and channels communications delivery
impl impl
derived derived
number of new communications methods and channels percentage of methods and channels with sufficient infrastructure to support them number of communications delivered by event type, stakeholder type, method and channel type (or other meaningful categorization) percentage of communications methods and channels operating within expected tolerances (e.g., press release must be issued within one hour of a significant event) change (increase or decrease) in length of time to commence communications by event type percentage of stakeholders that do not receive communications within expected tolerances, by stakeholder type and by event type
impl
impl
impl
COMMM11
communications delivery; communications methods and channels communications delivery communications delivery; communications stakeholders
effectiveness
derived
COMM:SG4. SP1
COMMM12 COMMM13
impl
derived
effectiveness
derived
16
Refer to comparable measure and template in Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010], section 4.1.1.
CMU/SEI-2011-TR-019 | 18
ID COMMM14
Measure number of communications methods and channels required to deliver the same or similar messages
Type of Information communications delivery; communications methods and channels communications methods and channels; communications infrastructure process improvement
COMMM15
percentage of uptime or availability (downtime) of preferred communications methods, channels, and infrastructure
effectiveness
derived
COMM:SG4. SP1
COMMM16
number of recommendations for improvement referred to the event, incident, service continuity, and crisis management processes percentage of communications deficiencies and omissions for which corrective action is pending beyond schedule number of service continuity plans that require updates as a result of communications deficiencies or omissions number of communications failures resulting from lack of adherence to resilience communications guidelines and standards
impl
COMM:SG4. SP1
COMMM17 COMMM18
communications deficiencies communications deficiencies; service continuity plans communications deficiencies; communications guidelines and standards plan status
effectiveness effectiveness
derived
COMMM19
effectiveness
COMM:SG1. SP3
COMMM20
percentage of resilience communications objectives that are being achieved according to plan
impl
derived
COMM:SG2. SP1
Compliance (COMP) The purpose of Compliance is to ensure awareness of and compliance with an established set of relevant internal and external guidelines, standards, practices, policies, regulations, and legislation, and other obligations (such as contracts and service level agreements) related to managing operational resilience.
Summary of Specific Goals and Practices
COMP:SG1 Prepare for Compliance Management COMP:SG1.SP1 Establish a Compliance Plan COMP:SG1.SP2 Establish a Compliance Program COMP:SG1.SP3 Establish Compliance Guidelines and Standards COMP:SG2 Establish Compliance Obligations COMP:SG2.SP1 Identify Compliance Obligations COMP:SG2.SP2 Analyze Obligations COMP:SG2.SP3 Establish Ownership for Meeting Obligations COMP:SG3 Demonstrate Satisfaction of Compliance Obligations COMP:SG3.SP1 Collect and Validate Compliance Data COMP:SG3.SP2 Demonstrate the Extent of Compliance Obligation Satisfaction
CMU/SEI-2011-TR-019 | 19
COMP:SG3.SP3 Remediate Areas of Non-Compliance COMP:SG4 Monitor Compliance Activities COMP:SG4.SP1 Evaluate Compliance Activities
Measures
ID COMPM1 COMPM2 Measure time expended to gather, organize, analyze, and report data for compliance obligations17 percentage of compliance obligation data collection activities that are/are not automated Type of Information compliance data compliance data Measure Type impl impl Base or Derived derived derived Applicable SG.SP COMP:SG2. SP1 COMP:SG1. SP2 COMP:SG1. SP3 COMP:SG2. SP1 COMP:SG2. SP1 COMP:SG2. SP1 COMP:SG2. SP3 COMP:SG1. SP3 COMP:SG2. SP1 EXD:SG1.SP 1 COMP:SG2. SP1 EXD:SG1.SP 1 COMP:SG2. SP1 EXD:SG1.SP 1 COMP:SG3. SP2 COMP:SG3. SP2 COMP:SG3. SP2 COMP:SG4. SP1 SC:SG1.SP1 SC:SG1.SP2
number of compliance obligations (may require some prioritization of obligations such as high, medium, low) percentage of compliance obligations that have been inventoried percentage of compliance obligations with/without a designated owner (organizational unit, line of business) number of external entities with agreements to meet compliance obligations
impl
impl impl
COMPM6
obligation inventory
impl
COMPM7
obligation inventory
impl
derived
COMPM8
obligation inventory
impl
derived
percentage of compliance obligations that are not met percentage of compliance obligations not met by deadline percentage of compliance activities that do not meet standards and guidelines percentage of controls required solely to meet compliance obligations percentage of service continuity guidelines and standards that are more/less stringent than required to meet compliance obligations
obligation satisfaction obligation satisfaction obligation satisfaction obligation satisfaction obligation satisfaction
impl
derived
impl
derived
17
Any reference to compliance obligations includes (by category, by source) as part of the definition of the measure. It is omitted from measures for ease of reading.
CMU/SEI-2011-TR-019 | 20
COMPM14
number of compliance risks (exceptions, noncompliance, remediation) referred to key stakeholders (the risk management process, the organizations governance process, etc.)
obligation remediation
COMP:SG1. SP2 COMP:SG3. SP2 COMP:SG3. SP3 COMP:SG1. SP2 COMP:SG2. SP2 (COMP:SG1. SP2) COMP:SG3. SP3 COMP:SG4. SP1 COMP:SG3. SP2 COMP:SG2. SP1 COMP:SG4. SP1 COMP:SG4. SP1
COMPM15 COMPM16
percentage of compliance obligation violations requiring corrective action for which such action has not been taken as scheduled percentage of compliance obligations that are conflicting (could also include duplicates, redundancies, and overlaps, but conflicts are likely of greatest interest) percentage of compliance obligations requiring remediation for which the remediation action results in the obligation being met cost to satisfy compliance obligations costs of non-compliance including: amount of fines and penalties levied for nonreporting amount of fines and penalties levied for noncompliance number of deficiencies in the compliance process that directly resulted in compliance obligations not being met number of deficiencies in internal controls that directly resulted in compliance obligations not being met number of errors in the compliance process caused by inaccurate or unavailable data
impl
derived
impl
derived
impl
derived
impl impl
COMPM20 COMPM21
compliance process compliance obligations; internal controls compliance process; compliance data
effectiveness effectiveness
COMPM22
effectiveness
COMP:SG3. SP1
Controls Management (CTRL) The purpose of Controls Management is to establish, monitor, analyze, and manage an internal control system that ensures the effectiveness and efficiency of operations through assuring mission success of high-value services and the assets that support them.
Summary of Specific Goals and Practices
CTRL:SG1 Establish Control Objectives CTRL:SG1.SP1 Define Control Objectives CTRL:SG2 Establish Controls CTRL:SG2.SP1 Define Controls CTRL:SG3 Analyze Controls CTRL:SG3.SP1 Analyze Controls CTRL:SG4 Assess Control Effectiveness CTRL:SG4.SP1 Assess Controls
CMU/SEI-2011-TR-019 | 21
Measures
ID CTRLM1 Measure confidence factor18 that control objectives from all relevant management directives and guidelines have been identified at the enterprise level at the service level (perhaps by service type) at the asset level (perhaps by asset type) percentage of control objectives that have been prioritized (should be 100%) percentage of enterprise-level controls for which responsibility has been confirmed or assigned19 percentage of enterprise-level controls that do not map to one or more control objectives percentage of service-level controls for which responsibility has been confirmed or assigned percentage of service-level controls that do not map to one or more control objectives percentage of asset-level controls for which responsibility has been confirmed or assigned percentage of asset-level controls that do not map to one or more control objectives percentage of control objectives that are fully satisfied by existing controls at the enterprise level at the service level (perhaps by service type) at the asset level (perhaps by asset type) percentage of controls that satisfy multiple control objectives (and mean, median number of control objectives satisfied) percentage of controls that require updates to address gaps21 (perhaps by control objective) Type of Information control objectives Measure Type effectiveness Base or Derived derived Applicable SG.SP CTRL:SG1.SP1
control objectives enterprise controls enterprise controls service controls service controls asset controls asset controls control objective satisfaction
impl impl
derived derived
CTRL:SG1.SP1 CTRL:SG2.SP1
impl
derived
CTRL:SG2.SP1
impl
derived
CTRL:SG2.SP1
impl
derived
CTRL:SG2.SP1
impl
derived
CTRL:SG2.SP1
impl
derived
CTRL:SG2.SP1 CTRL:SG3.SP120
Impl
derived
CTRLM10
control objective satisfaction control objective satisfaction; control gaps control objective satisfaction; control changes
Impl
derived
CTRL:SG3.SP1
CTRLM11
Impl
derived
CTRL:SG3.SP1
CTRLM12
Impl
derived
CTRL:SG3.SP1
18
Refer to comparable measure and template in Measuring Operational Resilience Using the CERT Resilience Management Model [Allen 2010], section 4.1.1. Confirmation applies to existing and updated controls; assignment is required for new controls. CTRL:SG3 establishes a baseline analysis of the extent to which existing controls and proposed new controls cover and achieve control objectives for the resilience of services and supporting assets. CTRL:SG4 uses this established baseline as the foundation for periodically assessing the extent to which controls continue to achieve control objectives and the extent to which control objectives continue to meet resilience requirements. Where control objectives are not adequately satisfied by existing controls
19
20
21
CMU/SEI-2011-TR-019 | 22
ID CTRLM13
Measure number of proposed new controls that are required to address gaps (perhaps by control objective) percentage of control objectives that are affected by proposed new controls
Type of Information control objective satisfaction; control gaps control objective satisfaction; control changes control redundancy control objectives; control redundancy control conflicts control objectives; control conflicts control issues; control changes
CTRLM14
Impl
CTRL:SG3.SP1
CTRLM15 CTRLM16
percentage of controls that are redundant percentage of control objectives that are affected by redundant controls
Impl Impl
derived derived
CTRL:SG3.SP1 CTRL:SG3.SP1
CTRLM17 CTRLM18
percentage of controls that are conflicting (enterprise, service, asset) percentage of control objectives that are affected by conflicting controls
Impl Impl
derived derived
CTRL:SG3.SP1 CTRL:SG3.SP1
CTRLM19
percentage of control issues that are resolved in the required timeframe: gaps resulting from unsatisfied control objectives redundant controls conflicting controls for issues that are not resolved, number of new/updated risks22 (by risk rank) resulting from unsatisfied control objectives unaddressed redundant controls unaddressed conflicting controls time and resources expended to conduct an analysis of controls (establish the baseline) time and resources expended to conduct an assessment of controls (periodic) number of problem areas resulting from the assessment of controls (perhaps by control objective) number of problem areas escalated to higher level managers for review
impl
derived
CTRL:SG3.SP1
CTRLM20
impl
CTRL:SG3.SP1
controls analysis controls assessment controls assessment controls assessment; control issues control objectives control automation
impl
derived
CTRL:SG3.SP1
impl impl
CTRL:SG4.SP1 CTRL:SG4.SP1
impl
CTRL:SG4.SP1
CTRLM25 CTRLM26
percentage of control objectives requiring remediation plans for controls that can be automated, percentage of controls that have been fully automated
impl impl
CTRL:SG4.SP1 CTRL:SG4.SP1
22
Risks result where the priority of a control objective and any resulting control gaps do not warrant further investment in updated or new controls.
CMU/SEI-2011-TR-019 | 23
ID CTRLM27
Measure percentage of problem areas23 that are/are not resolved within threshold (as scheduled): gaps resulting from unsatisfied control objectives redundant controls conflicting controls percentage reduction in number of controls
CTRLM28
control changes
derived
CTRL:SG4.SP1
CTRLM29 CTRLM30
number of risks resulting from unresolved problems in the internal control system that are referred to the risk management process number of updates to service continuity plans that result from changes to the internal control system
CTRL:SG4.SP1
impl
CTRL:SG4.SP1
Environmental Control (EC) The purpose of Environmental Control is to establish and manage an appropriate level of physical, environmental, and geographical controls to support the resilient operations of services in organizational facilities.
Summary of Specific Goals and Practices
EC:SG1 Establish and Prioritize Facility Assets EC:SG1.SP1 Prioritize Facility Assets EC:SG1.SP2 Establish Resilience-Focused Facility Assets EC:SG2 Protect Facility Assets EC:SG2.SP1 Assign Resilience Requirements to Facility Assets EC:SG2.SP2 Establish and Implement Controls EC:SG3 Manage Facility Asset Risk EC:SG3.SP1 Identify and Assess Facility Asset Risk EC:SG3.SP2 Mitigate Facility Risks EC:SG4 Control Operational Environment EC:SG4.SP1 Perform Facility Sustainability Planning EC:SG4.SP2 Maintain Environmental Conditions EC:SG4.SP3 Manage Dependencies on Public Services EC:SG4.SP4 Manage Dependencies on Public Infrastructure EC:SG4.SP5 Plan for Facility Retirement
23
May want to limit this measure to those problem areas that require remediation plans.
CMU/SEI-2011-TR-019 | 24
Measures
ID EC-M1 Measure percentage of facility assets that have been inventoried percentage of facility assets with/without a complete asset profile (such as no stated resilience requirements) percentage of facility assets with/without a designated owner percentage of facility assets with/without a designated custodian (if applicable) percentage of facility assets that have designated owners but no custodians (if applicable) percentage of facility assets that have designated custodians but no owners percentage of facility assets that have been inventoried, by service (if applicable) percentage of facility assets that are not associated with one or more services (if applicable) elapsed time since the facility asset inventory was reviewed Type of Information asset inventory Measure Type impl Base or Derived derived Applicable SG.SP ADM:SG1.S P1 ADM:SG1.S P2 EC:SG2.SP1 ADM:SG1.S P3 ADM:SG1.S P3 ADM:SG1.S P3 ADM:SG1.S P3 ADM:SG2.S P1 ADM:SG2.S P1 ADM:SG1.S P1 ADM:SG3.S P1 ADM:SG2.S P2 ADM:SG2.S P2 ADM:SG3.S P1 ADM:SG3.S P2 ADM:SG3.S P2 ADM:SG3.S P2 EC:SG1.SP1 EC:SG1.SP1 EC:SG1.SP2
EC-M2
asset inventory
impl
derived
EC-M3
asset inventory
impl
derived
EC-M4
asset inventory
impl
derived
EC-M5
asset inventory
impl
derived
EC-M6
asset inventory
impl
derived
EC-M7
asset inventory
impl
derived
EC-M8
asset inventory
impl
derived
EC-M9
asset inventory
impl
ECM10 ECM11 ECM12 ECM13 ECM14 ECM15 ECM16 ECM17 ECM18 ECM19 ECM20
percentage of facility asset-service dependency conflicts with unimplemented or incomplete mitigation plans percentage of facility asset-service dependency conflicts with no mitigation plans number of discrepancies between the current inventory and the previous inventory number of changes made to asset profiles in the facility asset inventory number of changes to resilience requirements as a result of facility asset changes number of changes to service continuity plans as a result of facility asset changes percentage of facility assets that are designated as high-value assets elapsed time since review and validation of high-value facility assets and their priorities percentage of facility assets that are resilience-focused (those required for service continuity & service restoration) elapsed time since review and reconciliation of resilience-focused facility assets percentage of facility assets without assigned/defined resilience requirements
impl
impl impl
derived base of type count base of type count base of type count base of type count derived derived derived
asset inventory
impl
asset change management asset change management asset inventory asset inventory asset inventory
impl impl
derived derived
EC:SG1.SP2 EC:SG2.SP1
CMU/SEI-2011-TR-019 | 25
Measure percentage of facility assets with assigned/defined resilience requirements that are undocumented percentage of facility assets that do not satisfy their resilience requirements percentage of facility assets with no or missing protection controls
impl impl; possibly effectiveness impl; possibly effectiveness impl; possibly effectiveness
derived derived
EC:SG2.SP1 EC:SG2.SP2
ECM24
percentage of facility assets with no or missing sustainment controls (including controls over design, construction, and leasing) percentage of facility asset controls (protection and sustainment) that are ineffective or inadequate as demonstrated by: unsatisfied control objectives unmet resilience requirements outstanding control assessment problem areas above established thresholds and without remediation plans percentage of facility asset control deficiencies not resolved by scheduled due date (refer to CTRL measures for categories of control deficiencies) elapsed time since review of the effectiveness of facility asset controls elapsed time since risk assessment of facility assets performed percentage of facility assets for which business impact valuation24 has not been performed percentage of facility assets for which a risk assessment has not been performed and documented (per policy or other guidelines) and according to plan percentage of facility asset risks that have not been assigned to a responsible party for action, tracking, and closure percentage of facility asset risks25 with a disposition of mitigate or control that do not have a defined mitigation plan percentage of facility asset risks with a mitigate or control disposition that are not effectively mitigated by their mitigation plans
asset controls
derived
EC:SG2.SP2
ECM25
asset controls
derived
EC:SG2.SP2
ECM26
asset controls
impl
derived
EC:SG2.SP2
asset controls
impl
EC:SG2.SP2
asset risk
impl
EC:SG3.SP1
asset risk
impl
EC:SG3.SP1
asset risk
impl
derived
EC:SG3.SP1
asset risk
impl
derived
EC:SG3.SP2
asset risk
impl
derived
EC:SG3.SP2
26
asset risk
effectiveness
derived
EC:SG3.SP2
24
Business impact valuation can be either qualitative (high, medium, low) or quantitative (based on levels of loss or damage, fines, number of customers lost, disruption in access, etc.). This measure also appears in RISK M4-1. For ease of use of an individual PA (vs. ease of maintenance and consistency), we have decided to replicate some (but not all) risk-related measures in the individual asset PAs that are identified generally in the list of RISK PA measures. SG3.SP2 subpractice 7 states, Collect performance measures on the risk management process. No such measures are included here in EC; refer to the RISK PA.
25
26
CMU/SEI-2011-TR-019 | 26
ID ECM34 ECM35 ECM36 ECM37 ECM38 ECM39 ECM40 ECM41 ECM42 ECM43
Measure percentage of realized risks for facility assets that exceed established risk parameters percentage of facility assets for which a business impact analysis has been performed elapsed time since business impact analysis of facility assets performed percentage of facilities with service continuity plans percentage of facilities that are included as associated assets by service-based continuity plans percentage of external entities that are not meeting service level agreements for maintaining facility assets percentage of facility assets that are not maintained at required maintenance levels (service intervals, specifications, etc.) percentage of facility maintenance activities that are not completed as scheduled elapsed time since facility maintenance performed downtime statistics for process control systems, for example: physical access systems such as card readers physical access monitoring such as surveillance cameras support systems such as HVAC and fire suppression percentage of facilities with dependencies on public services that are documented in service continuity plans or other appropriate form percentage of facilities with dependencies on public infrastructure that are documented in service continuity plans or other appropriate form percentage of facilities to be retired with a plan for facility retirement or, alternatively, a service continuity plan that addresses facility retirement percentage of facilities planned for retirement that are not retired according to plan number of violations of access control policies for facility assets percentage of intrusions into facility assets where impact exceeds threshold percentage of clean desk and screen policies that are met (no violations, all exceptions approved)
asset risk
impl
impl impl
asset maintenance asset maintenance asset maintenance asset maintenance asset maintenance
impl
derived
EC:SG4.SP2
impl
derived
EC:SG4.SP2
impl impl
EC:SG4.SP2 EC:SG4.SP2
impl
EC:SG4.SP2
ECM44 ECM45
impl
derived
EC:SG4.SP3
impl
derived
EC:SG4.SP4
ECM46
asset retirement
impl
derived
EC:SG4.SP5
CMU/SEI-2011-TR-019 | 27
Enterprise Focus (EF) The purpose of Enterprise Focus is to establish sponsorship, strategic planning, and governance over the operational resilience management system.
Summary of Specific Goals and Practices
EF:SG1 Establish Strategic Objectives EF:SG1.SP1 Establish Strategic Objectives EF:SG1.SP2 Establish Critical Success Factors EF:SG1.SP3 Establish Organizational Services EF:SG2 Plan for Operational Resilience EF:SG2.SP1 Establish an Operational Resilience Management Plan EF:SG2.SP2 Establish an Operational Resilience Management Program EF:SG3 Establish Sponsorship EF:SG3.SP1 Commit Funding for Operational Resilience Management EF:SG3.SP2 Promote a Resilience-Aware Culture EF:SG3.SP3 Sponsor Resilience Standards and Policies EF:SG4 Provide Resilience Oversight EF:SG4.SP1 Establish Resilience as a Governance Focus Area EF:SG4.SP2 Perform Resilience Oversight EF:SG4.SP3 Establish Corrective Actions
Measures
ID EF-M1 EF-M2 Measure percentage of critical success factors that are attainable per their key performance indicators percentage of services for which a complete service profile has been documented in the service repository percentage of services determined to be highvalue percentage of service profiles and service levels that have been reviewed within their review time frame percentage of resilience objectives that are being achieved according to plan percentage of operational resilience management plan commitments that are being met according to plan percentage of operational resilience management program and process activities for which adequate funds have been allocated percentage of operational resilience management program and process activities for which adequate staff have been allocated Type of Information CSF status services Measure Type impl impl Base or Derived derived derived Applicable SG.SP EF:SG1.SP2 EF:SG1.SP3
EF-M3
services
impl
derived
EF:SG1.SP3
EF-M4
services
impl
derived
EF:SG1.SP3
EF-M5 EF-M6
impl impl
derived derived
EF:SG2.SP1 EF:SG2.SP1
EF-M7
impl
derived
EF-M8
impl
derived
CMU/SEI-2011-TR-019 | 28
ID EF-M9
Measure percentage of staff demonstrating resilience awareness commensurate with job descriptions, as measured by the presence of stated resilience performance goals and objectives and regular review of these for satisfaction or correction percentage of external entity relationships for which resilience requirements have been specified in the agreements with these entities (see also EXD) percentage of external entity relationships for which resilience requirements have been implemented per the agreements with these entities (see also EXD) percentage of higher-level managers with explicit resilience goals percentage of higher-level managers who are promoting and communicating resilience as measured by satisfactory performance evaluations percentage of acculturation of resilience awareness that is the direct result of sponsorship (by staff group, by organizational unit) percentage of higher-level managers that are fulfilling their commitments to manage resilience per policy as measured by satisfactory performance evaluations percentage of committee charters that include resilience responsibilities percentage of key operational resilience management roles for which responsibilities, accountabilities, and authority are assigned and required skills identified, including key governance stakeholders percentage of board meetings and/or designated committee meetings for which operational resilience management is on the agenda percentage of key indicators (KPIs, KRIs, KCIs) that are within acceptable ranges percentage of key indicators that are outside of acceptable ranges and for which a corrective action plan exists percentage of key indicators with corrective action plans where actions taken were successful in bringing indicators within acceptable ranges elapsed calendar time since key indicators were reported to governance stakeholders percentage of required internal and external audits completed and reviewed by the board or other designated oversight body percentage of audit findings that have been resolved
EFM10
cultural awareness; candidate key indicator cultural awareness; candidate key indicator sponsorship sponsorship
impl
derived
EF:SG3.SP2 EF:SG4.SP2
EFM11
impl
derived
EF:SG3.SP2 EF:SG4.SP2
EFM12 EFM13
impl impl
derived derived
EF:SG3.SP2 EF:SG3.SP2
EFM14 EFM15
sponsorship
impl
derived
EF:SG3.SP2
sponsorship
impl
derived
EF:SG3.SP3 EF:SG4.SP1
EFM16 EFM17
oversight
impl
derived
EF:SG4.SP1
oversight
impl
derived
EF:SG4.SP1
EFM18
oversight
impl
derived
EF:SG4.SP1
oversight oversight
impl impl
derived derived
oversight
impl
derived
oversight
impl
EF:SG4.SP2
oversight
impl
EF:SG4.SP2
oversight
impl
derived
EF:SG4.SP2
CMU/SEI-2011-TR-019 | 29
ID EFM25
Measure percentage of incidents that caused damage, compromise, or loss beyond established thresholds to the organizations assets and services (categorized by asset, by service, by incident type, etc.) dollar amount of estimated damage or loss resulting from all incidents (categorized by asset, by service, by incident type, etc.) percentage of organizational units with established service continuity plan(s) for the services that require such a plan where the unit is the designated owner percentage of key external resilience requirements (laws, regulations, standards, etc.) for which the organization has been deemed by objective audit to be in compliance (see also COMP) level of capability achieved in other operational resilience management process areas percentage of operational resilience management policies that are met number of policy violations for policies related to each operational resilience management process area percentage of high-value assets (by asset type) for which a comprehensive strategy and internal control system have been implemented to mitigate risks as necessary and to maintain these risks within acceptable thresholds number of enterprise-level risks referred to the risk management process percentage of CERT-RMM practices (based on a specific model scope) that are addressed by governance (EF) activities
EFM26 EFM27
impl
EF:SG4.SP2
impl
EF:SG4.SP2 SC:SG3.SP1
EFM28
impl
derived
EF:SG4.SP2
candidate key indicator candidate key indicator candidate key indicator candidate key indicator
impl
EF:SG4.SP2
impl
EF:SG4.SP2
impl
EF:SG4.SP2
impl
EF:SG4.SP2
EFM33 EFM34
EF:SG4.SP2 none
External Dependencies Management (EXD) The purpose of External Dependencies Management is to establish and manage an appropriate level of controls to ensure the resilience of services and assets that are dependent on the actions of external entities.
Summary of Specific Goals and Practices
EXD:SG1 Identify and Prioritize External Dependencies EXD:SG1.SP1 Identify External Dependencies EXD:SG1.SP2 Prioritize External Dependencies EXD:SG2 Manage Risks Due to External Dependencies EXD:SG2.SP1 Identify and Assess Risks Due to External Dependencies EXD:SG2.SP2 Mitigate Risks Due to External Dependencies
CMU/SEI-2011-TR-019 | 30
EXD:SG3 Establish Formal Relationships EXD:SG3.SP1 Establish Enterprise Specifications for External Dependencies EXD:SG3.SP2 Establish Resilience Specifications for External Dependencies EXD:SG3.SP3 Evaluate and Select External Entities EXD:SG3.SP4 Formalize Relationships EXD:SG4 Manage External Entity Performance EXD:SG4.SP1 Monitor External Entity Performance EXD:SG4.SP2 Correct External Entity Performance
Measures
ID EXDM1 Measure by external dependency, in priority order: percentage of services that rely on the external dependency percentage of assets that rely on the external dependency by external entity, in priority order: number of services that rely on27 the external entity, by type of service (if applicable) number of assets that rely on the external entity, by type of asset number of external dependencies which rely on the external entity28 number of compliance obligations that rely on or apply to the external entity monetary value of the relationship with the external entity number of agreement changes by change type number of entities external to itself upon which the external entity relies to meet its obligations percentage of assets that rely on external entities Type of Information definition of external dependencies identification of external entities Measure Type impl Base or Derived derived Applicable SG.SP EXD:SG1.S P1 EXD:SG1.S P2 EXD:SG1.S P1 EXD:SG1.S P229
EXDM2
impl
EXDM3
impl
derived
EXDM4
impl
derived
27
Rely on includes accessed, owned, responsible for, developed, controlled, used, operated, or otherwise influenced by the external entity. This should be supported by some type of visual traceability mapping that shows the relationships between external entities and external dependencies. Prioritization of external entities not explicitly addressed in SG1.SP2 but can be inferred
28
29
CMU/SEI-2011-TR-019 | 31
ID EXDM5
Measure number of external entities by relationship status (RFP, source selection, awarded, agreement/contract executed, performing as expected, out of compliance, in dispute or litigation, terminated, renewed, etc.)
EXDM6 EXDM7
number of external entities at each CERTRMM capability level by process area30 percentage of external dependencies without a designated owner
definition of external entities definition of external dependencies identification of external entities definition of external dependencies identification of external entities identification of external entities identification of external entities identification of external entities identification of external entities update of external dependencies
impl
impl
EXD:SG1.S P1
EXDM8 EXDM9
percentage of external entities without a designated owner percentage of external dependencies involved in meeting compliance obligations
impl
derived
EXD:SG1.S P1 EXD:SG1.S P1
impl
derived
percentage of external entities involved in meeting compliance obligations number of external entities that are providing commodity services (easily replaced) number of external entities that are providing specialized services (difficult to replace) number of external entities in the same geographic region (for assessing geographic and socio-political risk) number of external entities for which the relationship is managed by another part of the organization than the one owning the relationship percentage of external dependencies that have not been reviewed and updated as scheduled
impl
derived
impl
base of type count base of type count base of type count base of type count
impl
impl
impl
EXDM15
impl
derived
EXDM16 EXDM17
elapsed time since risk assessment of external dependencies percentage of external dependencies for which a risk assessment has not been performed and documented (per policy or other guidelines) according to plan percentage of external dependency risks that have not been assigned to a responsible party for action, tracking, and closure
impl
impl
EXDM18
impl
derived
EXD:SG2.S P2
30
A CERT-RMM class A appraisal is required to assign a capability level. All external entities may not have performed such an appraisal.
CMU/SEI-2011-TR-019 | 32
ID EXDM19 EXDM20 EXDM21 EXDM22 EXDM23 EXDM24 EXDM25 EXDM26 EXDM27 EXDM28 EXDM29
Measure percentage of external dependency risks31 with a disposition of mitigate or control that do not have a defined mitigation plan percentage of external dependency risks with a mitigate or control disposition that are not effectively mitigated by their mitigation plans percentage of realized risks for external dependencies that exceed established risk parameters percentage of RFPs for external entities that do not include resilience specifications percentage of candidate external entities whose due diligence process is on track per plan percentage of selected external entities without documented selection and decision rationale (this should be zero) number of resilience specifications unmet by the selected external entity number of resilience specifications unmet by the selected external entity that are identified as risks to be managed (ranked) percentage of agreements/contracts with external entities with specifications that have been waived as a result of negotiations percentage of external entities that are achieving all specifications as defined in the agreement percentage of external entity agreements that have not been reviewed as scheduled (including in response to changes in enterprise and resilience specifications) percentage of external entities whose status (monitoring and inspection activities) has not been reviewed as scheduled percentage of external entities that have undergone, as required by agreement/contract: reviews risk assessments testing, evaluations inspections audits percentage of external entities with corrective actions that have not been implemented as scheduled percentage of external entities whose deliverables have failed to pass inspection
Type of Information external dependency risk external dependency risk external dependency risk external entity selection external entity selection external entity selection external entity selection external entity selection external entity agreements external entity agreements external entity status
Applicable SG.SP EXD:SG2.S P2 EXD:SG2.S P2 EXD:SG2.S P2 EXD:SG3.S P3 EXD:SG3.S P3 EXD:SG3.S P3 EXD:SG3.S P3 EXD:SG3.S P3 EXD:SG3.S P4 EXD:SG4.S P1 EXD:SG3.S P1 EXD:SG2.S P2 EXD:SG4.S P1 EXD:SG4.S P1
impl
derived
effectiveness
derived
impl
derived
impl
derived
impl
derived
impl
impl
impl
impl
derived
impl
derived
EXDM30 EXDM31
impl
derived
impl
derived
EXDM32 EXDM33
impl
derived
EXD:SG4.S P2 EXD:SG4.S P1
impl
derived
31
This measure also appears in RISK M4-1. For ease of use of an individual PA (vs. ease of maintenance and consistency), we have decided to replicate some (but not all) risk-related measures in the individual asset PAs that are identified generally in the list of RISK PA measures.
CMU/SEI-2011-TR-019 | 33
ID EXDM34
Measure for all or specific external entities, elapsed time since last: risk assessment performance review compliance audit joint service continuity exercise for all applicable external entities, elapsed time since source code was last updated in source code escrow percentage of external entity risks that have not been assigned to a responsible party for action, tracking, and closure percentage of realized risks for external entities that exceed established risk parameters percentage of external entities whose financial health is at risk (beyond risk parameters) percentage of external entities whose performance deviates sufficiently from specifications (beyond risk parameters) to cause a risk to be referred to the risk management process percentage of external entities that play a key role in fulfilling service continuity plans during disruptive events percentage of external entities that have tested their service continuity plans, including participating in tests conducted of organizations service continuity plans percentage of external entities that failed to perform as expected during a disruptive event
external entity status external entity risk external entity risk external entity risk external entity risk
impl
impl
EXDM40 EXDM41
external entity service continuity external entity service continuity external entity service continuity
impl
derived
none
impl
derived
none
EXDM42
impl
derived
none
Financial Resource Management (FRM) The purpose of Financial Resource Management is to request, receive, manage, and apply financial resources to support resilience objectives and requirements.
Summary of Specific Goals and Practices
FRM:SG1 Establish Financial Commitment FRM:SG1.SP1 Commit Funding for Operational Resilience Management FRM:SG1.SP2 Establish Structure to Support Financial Management FRM:SG2 Perform Financial Planning FRM:SG2.SP1 Define Funding Needs FRM:SG2.SP2 Establish Resilience Budgets FRM:SG2.SP3 Resolve Funding Gaps FRM:SG3 Fund Resilience Activities FRM:SG3.SP1 Fund Resilience Activities FRM:SG4 Account for Resilience Activities FRM:SG4.SP1 Track and Document Costs FRM:SG4.SP2 Perform Cost and Performance Analysis
CMU/SEI-2011-TR-019 | 34
FRM:SG5 Optimize Resilience Expenditures and Investments FRM:SG5.SP1 Optimize Resilience Expenditures FRM:SG5.SP2 Determine Return on Resilience Investments FRM:SG5.SP3 Identify Cost Recovery Opportunities
Measures
ID FRMM1 FRMM2 FRMM3 FRMM4 FRMM5 Measure elapsed time since the business case for the operational resilience management (ORM) system was reviewed and updated elapsed time since ORM system funding was reviewed elapsed time since ORM system funding was reviewed as part of the organizations strategic plan budgeting exercise difference in planned versus actual funding for the ORM system elapsed time since responsibility and accountability for resilience budgeting, funding, and accounting activities were reviewed percentage of resilience activities for which historical financial cost data is used as the basis for developing funding requirements percentage of resilience funding assumptions that have been validated by comparison to resilience requirements cost of resilience (COR) calculations Type of Information resilience business case resilience funding resilience funding resilience funding resilience financial structure resilience funding resilience funding resilience cost resilience cost; resilience benefit resilience cost resilience cost; resilience benefit resilience cost; resilience benefit resilience budgeting Measure Type impl Base or Derived base of type schedule base of type schedule base of type schedule derived Applicable SG.SP FRM:SG1.SP1
impl impl
FRM:SG1.SP1 FRM:SG1.SP1
FRM:SG1.SP1
FRM:SG1.SP2
impl
derived
FRM:SG2.SP1
impl
derived
FRM:SG2.SP1
impl
derived
return on resilience investment (RORI) calculations percentage of resilience costs that are included as part of standard costs for services and products (chargebacks) percentage of assets and services for which optimization32 calculations have been performed percentage of optimization opportunities for which no action has been taken percentage of resilience activities with required budgets assigned, allocated, and applied, organized by organizational unit, project, asset, and service or other meaningful categorization scheme elapsed time since resilience budgets were reviewed and updated
impl
derived
impl
derived
impl
derived
FRM:SG5.SP1
impl
derived
impl
derived
FRMM14
resilience budgeting
impl
FRM:SG2.SP2 FRM:SG4.SP1
32
The costs of attaining and sustaining an adequate level of operational resilience for an asset or service must be optimized against the value of the asset or service in order to rationalize and maximize the organizations investment in resilience.
CMU/SEI-2011-TR-019 | 35
Measure elapsed time since resilience budgets were reviewed to confirm their adequacy to meet resilience performance measures percentage of resilience activities subject to off-cycle or off-budget funding requests percentage of resilience activities tracking to planned budgets difference in planned versus actual cost for the ORM system percentage of resilience activities with budget variances outside of established thresholds for which resolution plans have been developed to reduce or eliminate these variances percentage of financial exceptions reported to oversight managers and committees percentage of resilience activities without required budget allocations for which gap and risk analysis has been performed number of budget shorfall risks referred to the risk management process
Type of Information resilience budgeting resilience budgeting resilience budgeting resilience cost resilience budgeting
FRM:SG3.SP1
derived
FRM:SG3.SP1
derived derived
FRMM20 FRMM21
impl
derived
FRM:SG4.SP2
impl
derived
FRM:SG2.SP3
FRMM22
impl
FRM:SG2.SP3
Human Resource Management (HRM) The purpose of Human Resource Management is to manage the employment life cycle and performance of staff in a manner that contributes to the organizations ability to manage operational resilience.
Summary of Specific Goals and Practices
HRM:SG1 Establish Resource Needs HRM:SG1.SP1 Establish Baseline Competencies HRM:SG1.SP2 Inventory Skills and Identify Gaps HRM:SG1.SP3 Address Skill Deficiencies HRM:SG2 Manage Staff Acquisition HRM:SG2.SP1 Verify Suitability of Candidate Staff HRM:SG2.SP2 Establish Terms and Conditions of Employment HRM:SG3 Manage Staff Performance HRM:SG3.SP1 Establish Resilience as a Job Responsibility HRM:SG3.SP2 Establish Resilience Performance Goals and Objectives HRM:SG3.SP3 Measure and Assess Performance HRM:SG3.SP4 Establish Disciplinary Process HRM:SG4 Manage Changes to Employment Status HRM:SG4.SP1 Manage Impact of Position Changes
CMU/SEI-2011-TR-019 | 36
impl impl
derived derived
resilience skill needs resilience skill needs; resilience cost resilience skill needs resilience skill needs resilience skill needs; resilience training skills inventory skills inventory
impl
derived
impl
base of type cost base of type schedule base of type effort derived
impl
impl impl
impl impl
staff suitability
impl
terms and conditions of employment terms and conditions of employment performance evaluation performance evaluation performance evaluation disciplinary action
impl
derived
impl
derived
HRM:SG2. SP2 HRM:SG3. SP3 HRM:SG3. SP2 HRM:SG3. SP2 HRM:SG3. SP4 HRM:SG3. SP4
impl impl
impl
derived
impl
disciplinary action
impl
CMU/SEI-2011-TR-019 | 37
Measure number of violations of resilience policies subject to disciplinary action elapsed time since measures of resilience policy compliance were collected and reviewed number of skill gaps referred to the risk management process percentage of departing staff (from a position, from the organization) that participate in an exit interview percentage of departing staff (from a position, from the organization) that have returned all organizational assets, property, and information percentage of departing staff (from a position, from the organization) whose access rights have been discontinued as scheduled percentage of involuntary terminations that are processed in accordance with established criteria and procedures
Type of Information disciplinary action; resilience policy compliance resilience policy compliance risk identification changes of employment status changes of employment status
Base or Derived base of type count base of type schedule base of type count derived
Applicable SG.SP HRM:SG3. SP4 HRM:SG3. SP4 HRM:SG1. SP3 HRM;SG4. SP1 HRM;SG4. SP2
impl
impl impl
impl
derived
HRMM24 HRMM25
impl
derived
impl
derived
Identity Management (ID) The purpose of Identity Management is to create, maintain, and deactivate identities that may need some level of trusted access to organizational assets and to manage their associated attributes.
Summary of Specific Goals and Practices
ID:SG1 Establish Identities ID:SG1.SP1 Create Identities ID:SG1.SP2 Establish Identity Community ID:SG1.SP3 Assign Roles to Identities ID:SG2 Manage Identities ID:SG2.SP1 Monitor and Manage Identity Changes ID:SG2.SP2 Periodically Review and Maintain Identities ID:SG2.SP3 Correct Inconsistencies ID:SG2.SP4 Deprovision Identities
Measures
ID ID-M1 Measure elapsed time from identity request to granting of identity credentials percentage of identity requests denied (based on policy) Type of Information identity requests Measure Type effectiveness impl Base or Derived base of type schedule derived Applicable SG.SP ID:SG1.SP1
ID-M2
identity requests
ID:SG1.SP1
CMU/SEI-2011-TR-019 | 38
ID ID-M3
Measure percentage of identity requests approved that, on further investigation, should have been denied based on, for example, a mismatch with designated roles percentage of identity requests that duplicate previous or current requests percentage of identities for which roles have been authorized and justified by identity owners rate of change requests to current identity profiles number of inconsistencies between identity profiles and their associated persons, objects, and entities percentage of identity profiles that are inaccurate percentage of identity profiles that are vacant or invalid percentage of identity profiles that are redundant percentage of identity community inconsistencies for which corrective action is pending beyond schedule percentage of identities belonging to external entities percentage of deprovisioned identities whose deprovisioning is pending beyond schedule number of incidents involving the identity repository number of incidents involving the identity repository for which resolution is pending beyond schedule number of identity-related risks referred to the risk management process
ID-M4
identity requests
impl
derived
ID:SG1.SP1
ID-M5
identity roles
impl
derived
ID:SG1.SP3
ID-M6 ID-M7
identity profiles identity profiles; identity community identity profiles identity profiles identity profiles identity profiles; identity community identity community deprovisioning
ID:SG2.SP1 ID:SG1.SP1 ID:SG2.SP1 ID:SG2.SP2 ID:SG2.SP2 ID:SG2.SP2 ID:SG2.SP2 ID:SG2.SP3 ID:SG1.SP1 ID:SG2.SP4
ID-M12 ID-M13
impl impl
derived derived
ID-M14
identity repository; incident analysis identity repository; incident analysis risk identification
impl
ID:SG1.SP2
ID-M15
impl
ID-M16
impl
Incident Management and Control (IMC) The purpose of Incident Management and Control is to establish processes to identify and analyze events, detect incidents, and determine an appropriate organizational response.
Summary of Specific Goals and Practices
IMC:SG1 Establish the Incident Management and Control Process IMC:SG1.SP1 Plan for Incident Management IMC:SG1.SP2 Assign Staff to the Incident Management Plan IMC:SG2 Detect Events IMC:SG2.SP1 Detect and Report Events IMC:SG2.SP2 Log and Track Events
CMU/SEI-2011-TR-019 | 39
IMC:SG2.SP3 Collect, Document, and Preserve Event Evidence IMC:SG2.SP4 Analyze and Triage Events IMC:SG3 Declare Incidents IMC:SG3.SP1 Define and Maintain Incident Declaration Criteria IMC:SG3.SP2 Analyze Incidents IMC:SG4 Respond to and Recover from Incidents IMC:SG4.SP1 Escalate Incidents IMC:SG4.SP2 Develop Incident Response IMC:SG4.SP3 Communicate Incidents IMC:SG4.SP4 Close Incidents IMC:SG5 Establish Incident Learning IMC:SG5.SP1 Perform Post-Incident Review IMC:SG5.SP2 Integrate with the Problem Management Process IMC:SG5.SP3 Translate Experience to Strategy
Measures
ID IMCM1 Measure percentage of coverage of IM plan (extent to which IM management plan includes all organizational units and functions that require coverage; aka IM plan scope) percentage of IM roles/responsibilities assigned to staff roles/members (extent to which IM plan roles and tasks are assigned to specific staff roles/members) percentage of staff who have not been trained on their roles and responsibilities as defined in IM plans percentage of staff (managers, users) who have not completed training and awareness to identify anomalies and report them in the required timeframe (initial, refresher) percentage of events triaged (events reported vs. events analyzed) percentage of events that are stalled or awaiting activity beyond threshold percentage of events whose documentation does not meet rules, laws, regulations, policies, or other requirements for forensic purposes percentage of events without a disposition percentage of events open beyond scheduled threshold (such as specified number of days for closure) mean, median time to close an event, categorized in some meaningful manner Type of Information IM planning Measure Type impl; possibly effectiveness impl Base or Derived derived Applicable SG.SP IMC:SG1.SP1
IMCM2
IM roles
derived
IMC:SG1.SP2 IMC:SG2.SP1
IMCM3 IMCM4
IM training
impl
derived
IMC:SG1.SP2
IM training
impl
derived
IMC:SG2.SP1
event analysis event analysis event analysis event analysis event analysis event analysis
derived derived
derived
impl impl
derived derived
IMC:SG2.SP4 IMC:SG2.SP4
derived
IMC:SG2.SP4
CMU/SEI-2011-TR-019 | 40
ID IMCM11 IMCM12 IMCM13 IMCM14 IMCM15 IMCM16 IMCM17 IMCM18 IMCM19 IMCM20 IMCM21 IMCM22 IMCM23 IMCM24 IMCM25 IMCM26 IMCM27 IMCM28
Measure percentage change in the number of logged events percentage of events that recur and result in declared incidents percentage of events (or sets of related events) declared as incidents percentage of events declared as incidents that do not match the current incident declaration criteria number of incidents by incident type
Type of Information event analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis incident analysis
Measure Type impl; possibly effectiveness impl; possibly effectiveness impl impl
derived
derived derived
impl
IMC:SG3.SP2
percentage of incidents that have been declared but not closed percentage of incidents that exploited existing vulnerabilities with known solutions, patches, or workarounds percentage of operational time that services and assets were unavailable (as seen by users and customers) due to incidents number of incidents by incident type and impact33 number of incidents by incident type and root cause impact due to incidents by incident type change in impact due to incidents by incident type percentage of incidents that recur
impl impl
effectiveness impl
derived
IMC:SG5.SP1
impl
IMC:SG5.SP1
impl impl; possibly effectiveness impl; possibly effectiveness impl; possibly effectiveness impl; possibly effectiveness impl; possibly effectiveness impl; possibly effectiveness impl; possibly effectiveness
IMC:SG5.SP1 IMC:SG5.SP1
derived
percentage change in the number of incidents by incident type time (mean, median, range) between event detection and related incident declaration time (mean, median, range) between event detection and related incident response time (mean, median, range) between event detection and related incident closure percentage change in the elapsed time of the incident life cycle by incident type (mean, median, ranges)
derived
derived
IMC:SG5.SP1
derived
IMC:SG5.SP1
derived
IMC:SG5.SP1
derived
IMC:SG5.SP1
33
Impact (i.e., the magnitude or consequences due to incidents) can be represented as monetary cost, productivity cost, loss of revenue due to unavailability of services, etc.
CMU/SEI-2011-TR-019 | 41
Measure percentage of incidents that result in realized risks that exceed established risk parameters percentage of incidents that require escalation percentage of incidents that require involvement of law enforcement34 percentage of incidents that require the involvement of regulatory and governing agencies percentage of post-incident review recommendations that result in control changes or improvements to the process number of problem reports referred to the problem management system extent to which incident occurrence (prevent) is reduced as a result of implementing RMM appraisal findings reduction in incident occurrence and impact (detect, respond, recover) as a result of implementing CERT-RMM appraisal findings
Measure Type impl; possibly effectiveness impl impl; possibly effectiveness impl; possibly effectiveness impl
incident escalation incident escalation incident escalation process improvement process improvement potential element of resilience posture potential element of resilience posture
derived derived
IMC:SG4.SP1 IMC:SG4.SP3
derived
IMC:SG4.SP3
derived
IMC:SG5.SP1
impl
IMC:SG5.SP2
effectiveness
none
IMCM36
effectiveness
derived
none
Knowledge and Information Management (KIM) The purpose of Knowledge and Information Management is to establish and manage an appropriate level of controls to support the confidentiality, integrity, and availability of the organizations information, vital records, and intellectual property.
Summary of Specific Goals and Practices
KIM:SG1 Establish and Prioritize Information Assets KIM:SG1.SP1 Prioritize Information Assets KIM:SG1.SP2 Categorize Information Assets KIM:SG2 Protect Information Assets KIM:SG2.SP1 Assign Resilience Requirements to Information Assets KIM:SG2.SP2 Establish and Implement Controls KIM:SG3 Manage Information Asset Risk KIM:SG3.SP1 Identify and Assess Information Asset Risk KIM:SG3.SP2 Mitigate Information Asset Risk KIM:SG4 Manage Information Asset Confidentiality and Privacy KIM:SG4.SP1 Encrypt High-Value Information KIM:SG4.SP2 Control Access to Information Assets KIM:SG4.SP3 Control Information Asset Disposition
34
Could include additional measures here for any of the roles listed in IMC:SG4.SP3
CMU/SEI-2011-TR-019 | 42
KIM:SG5 Manage Information Asset Integrity KIM:SG5.SP1 Control Modification of Information Assets KIM:SG5.SP2 Manage Information Asset Configuration KIM:SG5.SP3 Verify Validity of Information KIM:SG6 Manage Information Asset Availability KIM:SG6.SP1 Perform Information Duplication and Retention KIM:SG6.SP2 Manage Organizational Knowledge
Measures
ID KIM-M1 KIM-M2 Measure percentage of information assets that have been inventoried percentage of information assets with/without a complete asset profile (such as no stated resilience requirements) percentage of information assets with/without a designated owner percentage of information assets with/without a designated custodian (if applicable) percentage of information assets that have designated owners but no custodians (if applicable) percentage of information assets that have designated custodians but no owners percentage of information assets that have been inventoried, by service percentage of information assets that are not associated with one or more services elapsed time since the information asset inventory was reviewed percentage of information asset-service dependency conflicts with unimplemented or incomplete mitigation plans percentage of information asset-service dependency conflicts with no mitigation plan number of discrepancies between the current inventory and the previous inventory number of changes made to asset profiles in the information asset inventory number of changes to resilience requirements as a result of information asset changes number of changes to service continuity plans as a result of information asset changes percentage of information assets that are designated as high-value assets Type of Information asset inventory asset inventory asset inventory asset inventory asset inventory asset inventory asset inventory asset inventory asset inventory asset-service dependencies asset-service dependencies asset inventory asset inventory asset change management asset change management asset inventory Measure Type impl impl Base or Derived derived derived Applicable SG.SP ADM:SG1.SP1 KIM:SG1.SP1 ADM:SG1.SP2 KIM:SG2.SP1 ADM:SG1.SP3 ADM:SG1.SP3
KIM-M3 KIM-M4
impl impl
derived derived
KIM-M5
impl
derived
ADM:SG1.SP3
KIM-M6
impl
derived
ADM:SG1.SP3
KIM-M10
impl
KIM-M11
impl
derived
ADM:SG2.SP2
KIM-M12
impl
base of type count base of type count base of type count base of type count derived
ADM:SG3.SP1
KIM-M13 KIM-M14
impl impl
ADM:SG3.SP2 ADM:SG3.SP2
KIM-M15
impl
ADM:SG3.SP2
KIM-M1
impl
KIM:SG1.SP1
CMU/SEI-2011-TR-019 | 43
ID KIM-M16
Measure elapsed time since review and validation of high-value information assets and their priorities number of information assets categorized by service (includes number of assets that support 2 or more, 3 or more, etc., services) percentage of information assets that have not been categorized as to level of sensitivity percentage of information assets without assigned/defined resilience requirements percentage of information assets with assigned/defined resilience requirements that are undocumented percentage of information assets with no (or missing) protection controls percentage of information assets with no (or missing) sustainment controls percentage of information asset controls (protection and sustainment) that are ineffective or inadequate as demonstrated by: unsatisfied control objectives unmet resilience requirements outstanding control assessment problem areas above established thresholds and without remediation plans percentage of information asset control deficiencies not resolved by scheduled due date (refer to CTRL measures for categories of control deficiencies ) elapsed time since review of the effectiveness of information asset controls elapsed time since risk assessment of information assets performed elapsed time since business impact analysis of information assets performed percentage of information assets for which business impact valuation35 has not been performed percentage of information assets for which a risk assessment has not been performed and documented (per policy or other guideline) and according to plan percentage of information asset risks that have not been assigned to a responsible party for action, tracking, and closure
KIM-M17
impl
KIM:SG1.SP1
KIM-M18
asset inventory asset requirements asset requirements asset controls asset controls asset controls
impl
derived
KIM:SG1.SP2
KIM-M19 KIM-M20
impl impl
derived derived
KIM:SG2.SP1 KIM:SG2.SP1
KIM-M21
derived
KIM:SG2.SP2
KIM-M22
derived
KIM:SG2.SP2
KIM-M23
derived
KIM:SG2.SP2
KIM-M24
asset controls
impl
derived
KIM:SG2.SP2
KIM-M25
impl
base of type schedule base of type schedule base of type schedule derived
KIM:SG2.SP2
KIM-M26
impl
KIM:SG3.SP1
KIM-M27
asset risk
impl
KIM:SG3.SP1
KIM-M28
asset risk
impl
KIM:SG3.SP1
KIM-M29
asset risk
impl
derived
KIM:SG3.SP1
KIM-M30
asset risk
impl
derived
KIM:SG3.SP2
35
Business impact valuation can be either qualitative (high, medium, low) or quantitative (based on levels of loss or damage, fines, number of customers lost, disruption in access, disclosure, alteration, destruction, etc.).
CMU/SEI-2011-TR-019 | 44
ID KIM-M31
Measure percentage of information asset risks36 with a disposition of mitigate or control that do not have a defined mitigation plan percentage of information asset risks with a mitigate or control disposition that are not effectively mitigated by their mitigation plans percentage of realized risks for information assets that exceed established risk parameters number of violations of access control policies for information assets as a result, number of successful intrusions to technology assets (digital information assets) or facility assets (physical information assets) where information assets live as a result, number of information assets that have been accessed in an unauthorized manner as a result, number of incidents declared as a result, number of breaches of confidentiality and privacy percentage of information assets for which encryption is required and not implemented percentage of retired information assets that are not disposed of in accordance with information asset disposition guidelines percentage of retired information assets that have not been disposed according to plan percentage of anomalies in information asset modification logs that have not been addressed as scheduled percentage of anomalies in information asset configuration control logs that have not been addressed as scheduled percentage of information asset logs which are not validated and placed under configuration control as scheduled percentage of information assets with accuracy and completeness controls that have not been reviewed as scheduled percentage of information assets that have not been backed up as scheduled
KIM-M32
asset risk
effectiveness
derived
KIM:SG3.SP2
KIM-M33
asset risk
derived
KIM:SG3.SP2
KIM-M34
KIM:SG4.SP2
KIM:SG5.SP1
KIM-M35
impl
derived
KIM:SG4.SP1
KIM-M36
impl
derived
KIM:SG4.SP3
KIM-M37
asset confidentiality asset integrity asset integrity asset integrity asset integrity asset availability
impl
derived
KIM:SG4.SP3
KIM-M38
impl
derived
KIM:SG5.SP1
KIM-M39
impl
derived
KIM:SG5.SP2
KIM-M40
impl
derived
KIM-M41
impl
derived
KIM-M42
impl
derived
KIM:SG6.SP1
36
This measure also appears in RISK M4-1. For ease of use of an individual PA (vs. ease of maintenance and consistency), we have decided to replicate some (but not all) risk-related measures in the individual asset PAs that are identified generally in the list of RISK PA measures. SG3.SP2 subpractice 7 states, Collect performance measures on the risk management process. No such measures are included here in KIM; refer to the RISK PA.
37
CMU/SEI-2011-TR-019 | 45
ID KIM-M43
Measure percentage of information assets that have not been tested to verify that they can be accurately restored from backups as scheduled percentage of vital staff with institutional knowledge where such knowledge has not been captured/transferred (via such methods as cross training) percentage of information assets that do not satisfy their resilience requirements number of policy violations related to confidentiality, integrity, availability, privacy, and access control of information assets percentage of external entities that are not meeting service level agreements for information assets subject to external entity services percentage of information assets that are not maintained at required maintenance levels (for information assets subject to maintenance agreements)
KIM-M44
asset availability
impl
derived
KIM:SG6.SP2
KIM-M45
derived
KIM-M46
KIM-M47
impl
none
KIM-M48
asset evaluation
impl
derived
none
Measurement and Analysis (MA) The purpose of Measurement and Analysis is to develop and sustain a measurement capability that is used to support management information needs for managing the operational resilience management system.
Summary of Specific Goals and Practices
MA:SG1 Align Measurement and Analysis Activities MA:SG1.SP1 Establish Measurement Objectives MA:SG1.SP2 Specify Measures MA:SG1.SP3 Specify Data Collection and Storage Procedures MA:SG1.SP4 Specify Analysis Procedures MA:SG2 Provide Measurement Results MA:SG2.SP1 Collect Measurement Data MA:SG2.SP2 Analyze Measurement Data MA:SG2.SP3 Store Data and Results MA:SG2.SP4 Communicate Results
Measures
ID MA-M1 Measure percentage of measurement objectives that can be traced to information needs and objectives percentage of measures for which operational definitions have been specified Type of Information measurement objectives measures Measure Type impl Base or Derived derived Applicable SG.SP MA:SG1.SP1
MA-M2
impl
derived
MA:SG1.SP2
CMU/SEI-2011-TR-019 | 46
ID MA-M3 MA-M4
Measure percentage of measurement objectives achieved (against defined targets, if relevant) percentage of operational resilience management system performance goals for which measurement data is collected, analyzed, and communicated percentage of organizational units, services, and activities using operational resilience management measures to assess the performance of operational resilience management processes elapsed time between collection, analysis, and communication of measurement data percentage of measures that can be traced to measurement objectives percentage of measures whose collection, analysis, and reporting is automated percentage of specified measures that are collected, analyzed, and stored
MA-M5
ORMS measurement
derived
MA-M6
impl
MA:SG2.SP1 MA:SG2.SP2 MA:SG2.SP4 MA:SG1.SP1 MA.SG2.SP1 MA.SG2.SPI MA.SG2.SP2 MA.SG2.SP3 MA:SG1.SP3 MA:SG1.SP4 MA:SG2.SP1 MA:SG2.SP2 MA:SG2.SP3
MA-M7 MA-M8
impl impl
MA-M9
impl
derived
Monitoring (MON) The purpose of Monitoring is to collect, record, and distribute information about the operational resilience management system to the organization on a timely basis.
Summary of Specific Goals and Practices
MON:SG1 Establish and Maintain a Monitoring Program MON:SG1.SP1 Establish a Monitoring Program MON:SG1.SP2 Identify Stakeholders MON:SG1.SP3 Establish Monitoring Requirements MON:SG1.SP4 Analyze and Prioritize Monitoring Requirements MON:SG2 Perform Monitoring MON:SG2.SP1 Establish and Maintain Monitoring Infrastructure MON:SG2.SP2 Establish Collection Standards and Guidelines MON:SG2.SP3 Collect and Record Information MON:SG2.SP4 Distribute Information
Measures
ID MONM1 Measure percentage of operational resilience management system performance goals for which monitoring data is collected, recorded, and distributed Type of Information ORMS assessment Measure Type impl Base or Derived derived Applicable SG.SP MON:SG2.SP3 MON:SG2.SP4
CMU/SEI-2011-TR-019 | 47
ID MONM2
Measure percentage of organizational units, services, and activities using monitoring data to assess the performance of operational resilience management processes percentage of monitoring requirements accepted (accepted requirements divided by total requirements) number of requirements gaps (total requirements minus accepted requirements) number of ranked risks resulting from unsatisfied monitoring requirements elapsed time from high-value data collection to data distribution to key stakeholders number of new, changed, and retired monitoring requirements number of times monitoring plan has been revised percentage of data collection activities that are automated
monitoring coverage monitoring coverage risk identification monitoring communication monitoring variability monitoring variability monitoring process
derived
impl
base of type count base of type count base of type schedule base of type count base of type count derived
impl
effectiveness impl
MON:SG2.SP4
MON:SG1.SP3
impl
MON:SG1.SP1
impl
MON:SG2.SP3
Organization Process Definition (OPD) The purpose of Organizational Process Definition is to establish and maintain a usable set of organizational process assets and work environment standards for operational resilience.
Summary of Specific Goals and Practices
OPD:SG1 Establish Organizational Process Assets OPD:SG1.SP1 Establish Standard Processes OPD:SG1.SP2 Establish Tailoring Criteria and Guidelines OPD:SG1.SP3 Establish the Organizations Measurement Repository OPD:SG1.SP4 Establish the Organizations Process Asset Library OPD:SG1.SP5 Establish Work Environment Standards OPD:SG1.SP6 Establish Rules and Guidelines for Integrated Teams
Measures
ID OPDM1 OPDM2 Measure percentage of organizational units (including projects) using the organizations standard processes percentage of standard processes that map to process policies, standards, or models Type of Information standard process deployment standard process development Measure Type impl Base or Derived derived Applicable SG.SP OPD:SG1.SP1
impl
derived
OPD:SG1.SP1
CMU/SEI-2011-TR-019 | 48
ID OPDM3
Measure percentage of standard processes that satisfy process needs and objectives
Type of Information standard process development standard process development standard process use standard process use standard process deployment tailoring guideline development standard process development standard process development standard process maintenance process asset maintenance process asset library use measurement repository work environment standards work environment standards
OPDM4
impl
derived
OPD:SG1.SP1
percentage of standard processes that have been tailored, by organizational unit number of times a standard process has been tailored number of waivers by standard process
impl
derived
OPD:SG1.SP2
impl
OPD:SG1.SP2
impl
OPD:SG1.SP2
impl
OPD:SG1.SP2
OPDM9
defect density of each process element of the organizations set of standard processes
effectiveness
derived
OPD:SG1.SP1
OPDM10
impl
base of type schedule base of type schedule base of type count base of type count derived
OPD:SG1.SP1
OPDM11
impl
OPD:SG1.SP1
number of unapproved changes to the process asset library number of times each item in the process assets library is accessed percentage of product and process measures residing in the measurement repository that are used in status reports number of waivers by work environment standard number of worker's compensation claims due to work environment
impl
OPD:SG1.SP4
impl
OPD:SG1.SP4
impl
OPD:SG1.SP3
OPDM15 OPDM16
impl
OPD:SG1.SP5
impl
OPD:SG1.SP5
Organizational Process Focus (OPF) The purpose of Organizational Process Focus is to plan, implement, and deploy organizational process improvements based on a thorough understanding of current strengths and weaknesses of the organizations operational resilience processes and process assets.
CMU/SEI-2011-TR-019 | 49
OPF:SG1 Determine Process Improvement Opportunities OPF:SG1.SP1 Establish Organizational Process Needs OPF:SG1.SP2 Appraise the Organizations Processes OPF:SG1.SP3 Identify the Organizations Process Improvements OPF:SG2 Plan and Implement Process Actions OPF:SG2.SP1 Establish Process Action Plans OPF:SG2.SP2 Implement Process Action Plans OPF:SG3 Deploy Organizational Process Assets and Incorporate Experiences OPF:SG3.SP1 Deploy Organizational Process Assets OPF:SG3.SP2 Deploy Standard Processes OPF:SG3.SP3 Monitor the Implementation OPF:SG3.SP4 Incorporate Experiences into Organizational Process Assets
Measures
ID OPFM1 OPFM2 OPFM3 OPFM4 OPFM5 OPFM6 OPFM7 OPFM8 OPFM9 Measure percentage of process improvement proposals accepted percentage of planned process improvements implemented percentage of improvements resulting from appraisals percentage of improvements resulting from experience reports and lessons learned CERT Resilience Management Model capability levels elapsed time for deployment of an organizational process asset status against schedule for deployment of an organizational process asset (i.e., met or exceeded and by how much) percentage of organizational units using the organizations current set of standard processes (or tailored versions of same) issue trends associated with implementing the organizations set of standard processes (i.e., number of issues identified and number closed) percentage of waivers approved/rejected by standard process percentage of standard processes that have been tailored, by organizational unit Type of Information process improvement process improvement process improvement process improvement process capability process asset deployment process asset deployment standard process deployment standard process deployment standard process deployment standard process tailoring Measure Type impl Base or Derived derived Applicable SG.SP OPF:SG1.SP3
impl
derived
OPF:SG2.SP2
impl
derived
impl
derived
effectiveness impl
derived
OPF:SG3.SP1
effectiveness impl
OPF:SG3.SP1
derived
OPF:SG3.SP2
effectiveness
derived
OPF:SG3.SP3
OPFM10 OPFM11
impl
derived
OPF:SG3.SP4
impl
derived
OPF:SG3.SP2
CMU/SEI-2011-TR-019 | 50
Measure number of times a standard process has been tailored progress toward achievement of process needs and objectives percentage of processes that can be mapped directly to documented critical success factors or an enterprise strategy
effectiveness impl
OPF:SG1.SP1 OPF:SG1.SP1
Organization Training and Awareness (OTA) The purpose of Organizational Training and Awareness is to promote awareness in and develop skills and knowledge of people in support of their roles in attaining and sustaining operational resilience.
Summary of Specific Goals and Practices
OTA:SG1 Establish Awareness Program OTA:SG1.SP1 Establish Awareness Needs OTA:SG1.SP2 Establish Awareness Plan OTA:SG1.SP3 Establish Awareness Delivery Capability OTA:SG2 Conduct Awareness Activities OTA:SG2.SP1 Perform Awareness Activities OTA:SG2.SP2 Establish Awareness Records OTA:SG2.SP3 Assess Awareness Program Effectiveness OTA:SG3 Establish Training Capability OTA:SG3.SP1 Establish Training Needs OTA:SG3.SP2 Establish Training Plan OTA:SG3.SP3 Establish Training Capability OTA:SG4 Conduct Training OTA:SG4.SP1 Deliver Training OTA:SG4.SP2 Establish Training Records OTA:SG4.SP3 Assess Training Effectiveness
Measures
ID OTAM1 OTAM2 OTAM3 Measure percentage of awareness needs for each staff group that are addressed in the awareness plan difference in planned versus actual awareness sessions delivered schedule of delivery of awareness sessions (planned frequency versus actual frequency) Type of Information awareness needs; awareness activities awareness activities awareness activities Measure Type impl Base or Derived derived Applicable SG.SP OTA:SG1.SP1 OTA:SG1.SP2 OTA:SG1.SP2 OTA:SG2.SP1 OTA:SG1.SP2 OTA:SG2.SP1
impl impl
derived derived
CMU/SEI-2011-TR-019 | 51
ID OTAM4 OTAM5
Measure elapsed time since awareness materials were reviewed and updated percentage of new users (internal and external) who have satisfactorily completed awareness sessions before being granted network access percentage of users (internal and external) who have satisfactorily completed periodic awareness refresher sessions as required by policy percentage of awareness activities that include a mechanism for evaluating the effectiveness of the awareness activity percentage of passing scores (by participants) on awareness assessments percentage of staff who have been assessed to determine if their level of awareness is commensurate with their job responsibilities percentage of staff waived from awareness activities percentage of training needs for each role and responsibility that are addressed in the training plan difference in planned versus actual training courses delivered schedule of delivery of training sessions (planned frequency versus actual frequency) percentage of favorable post-training evaluation ratings, including instructor ratings elapsed time since training materials were reviewed and updated number of internal staff members for whom training was planned versus number trained (percentage) number of external staff members for whom training was expected or contracted versus number trained (percentage) percentage of favorable training program quality survey ratings percentage of passing scores (by participants) on training examinations percentage of staff who have been assessed to determine if training has been effective38 commensurate with their job responsibilities percentage of staff waived from training
Type of Information awareness activities awareness activities; awareness requirements awareness activities; awareness requirements awareness activities awareness assessments awareness assessments
impl
OTA:SG2.SP2
OTAM6
impl
derived
OTA:SG2.SP2
impl
derived
OTA:SG2.SP3
effectiveness
derived
OTA:SG2.SP3
effectiveness
derived
OTA:SG2.SP3
awareness waivers training needs; training courses training courses training courses
impl impl
derived derived
impl impl
derived derived
training courses
effectiveness
derived
impl
OTA:SG3.SP3
impl
OTA:SG4.SP1
staff training
impl
derived
OTA:SG4.SP1
OTAM21
38
training waivers
impl
derived
OTA:SG4.SP2
CMU/SEI-2011-TR-019 | 52
People Management (PM) The purpose of People Management is to establish and manage the contributions and availability of people to support the resilient operation of organizational services.
Summary of Specific Goals and Practices
PM:SG1 Establish Vital Staff PM:SG1.SP1 Identify Vital Staff PM:SG2 Manage Risks Associated with Staff Availability PM:SG2.SP1 Identify and Assess Staff Risk PM:SG2.SP2 Mitigate Staff Risk PM:SG3 Manage the Availability of Staff PM:SG3.SP1 Establish Redundancy for Vital Staff PM:SG3.SP2 Perform Succession Planning PM:SG3.SP3 Prepare for Redeployment PM:SG3.SP4 Plan to Support Staff During Disruptive Events PM:SG3.SP5 Plan for Return-to-Work Considerations
Measures
ID PM-M1 Measure percentage of staff-service dependency conflicts with unimplemented or incomplete mitigation plans percentage of staff-service dependency conflicts with no mitigation plan number of changes to service continuity plans as a result of staff changes percentage of staff and managers that are designated as vital elapsed time since the list of vital staff has been reviewed and reconciled with service continuity plans percentage of vital staff for which some form of risk assessment of staff availability has not been performed and documented (per policy or other guideline) within the specified timeframe percentage of vital staff availability risks that have not been assigned to a responsible party for action, tracking, and closure percentage of vital staff availability risks with a disposition of mitigate or control that do not have a defined mitigation plan Type of Information asset-service dependencies; risk mitigation asset-service dependencies; risk mitigation asset change management; SC plans asset inventory; vital staff; vital managers asset inventory; vital staff asset risk Measure Type impl Base or Derived derived Applicable SG.SP ADM:SG2.SP2 PM:SG2.SP1 PM:SG2.SP2 ADM:SG2.SP2 PM:SG2.SP1 PM:SG2.SP2 ADM:SG3.SP2
PM-M2
impl
derived
PM-M3
impl
PM-M4
impl
PM-M5
impl
PM-M6
impl
PM:SG2.SP1
PM-M7
asset risk
impl
derived
PM:SG2.SP2
PM-M8
asset risk
impl
derived
PM:SG2.SP239
39
SG3.SP2 subpractice 7 states, Collect performance measures on the risk management process. No such measures are included here in PM; refer to the RISK PA.
CMU/SEI-2011-TR-019 | 53
ID PM-M9
Measure percentage of vital staff availability risks with a mitigate or control disposition that are not effectively mitigated by their mitigation plans percentage of realized risks on the availability of vital staff that have exceeded established risk parameters percentage of vital staff who do not have redundancy plans cost required to address training gaps for those designated as backups and replacements for vital staff elapsed time required to address training gaps for those designated as backups and replacements for vital staff effort required to address training gaps for those designated as backups and replacements for vital staff percentage of vital staff available (on hand) to conduct service continuity planned exercises and tests (versus those needed) percentage of vital staff not covered by a service continuity plan percentage of vital staff who have not been trained for redeployment percentage of vital managers who do not have succession plans number of reports to public authorities regarding the loss of a vital higher level manager percentage of first responders who do not have appropriate credentials percentage of service continuity plans that do not include plans to support staff who are deployed during disruptive events percentage of service continuity plans that do not include plans for transitioning staff back to the workplace (return to work) number of people availability risks referred to the risk management process
asset risk
effectiveness
derived
PM:SG2.SP2
vital staff; redundancy plans vital staff; training gaps vital staff; training gaps vital staff; training gaps vital staff; SC tests
impl impl
derived base of type cost base of type schedule base of type effort derived
PM:SG3.SP1 PM:SG3.SP1
impl
PM:SG3.SP1
impl
PM:SG3.SP1
impl
SC:SG5.SP3
vital staff; SC plans vital staff; SC plans vital managers; succession plans vital managers
impl
none
impl impl
PMM22
impl
derived
PM:SG3.SP5 SC:SG3.SP2
PMM23
impl
PM:SG2.SP1
Risk Management (RISK) The purpose of Risk Management is to identify, analyze, and mitigate risks to organizational assets that could adversely affect the operation and delivery of services.
Summary of Specific Goals and Practices
RISK:SG1 Prepare for Risk Management RISK:SG1.SP1 Determine Risk Sources and Categories
CMU/SEI-2011-TR-019 | 54
RISK:SG1.SP2 Establish an Operational Risk Management Strategy RISK:SG2 Establish Risk Parameters and Focus RISK:SG2.SP1 Define Risk Parameters RISK:SG2.SP2 Establish Risk Measurement Criteria RISK:SG3 Identify Risk RISK:SG3.SP1 Identify Asset-Level Risks RISK:SG3.SP2 Identify Service-Level Risks RISK:SG4 Analyze Risk RISK:SG4.SP1 Evaluate Risk RISK:SG4.SP2 Categorize and Prioritize Risk RISK:SG4.SP3 Assign Risk Disposition RISK:SG5 Mitigate and Control Risk RISK:SG5.SP1 Develop Risk Mitigation Plans RISK:SG5.SP2 Implement Risk Strategies RISK:SG6 Use Risk Information to Manage Resilience RISK:SG6.SP1 Review and Adjust Strategies to Protect Assets and Services RISK:SG6.SP2 Review and Adjust Strategies to Sustain Services
Measures
ID RISKM1 RISKM2 RISKM3 RISKM4 RISKM5 RISKM6 RISKM7 RISKM8 RISKM9 RISKM10 RISKM11 Measure number of internal operational risk sources identified number of external operational risk sources identified number of operational risk sources that are not addressed by process policies or other mitigating activities number of risk categories defined Type of Information risk planning Measure Type impl Base vs. Derived base of type count base of type count base of type count base of type count base of type schedule derived Applicable SG.SP RISK:SG1.SP1
RISK:SG1.SP1 RISK:SG1.SP1
risk planning
RISK:SG1.SP1
elapsed time since validation of risk categories performed percentage of repeat audit findings related to operational risk management number of operational risks referred to the organizations enterprise risk management process number of risk parameters defined elapsed time since validation of risk parameters performed number of risk criteria defined elapsed time since validation of risk criteria performed
risk planning
impl
RISK:SG1.SP1
risk strategy
impl
RISK:SG1.SP2
risk strategy
impl
base of type count base of type count base of type schedule base of type count base of type schedule
RISK:SG1.SP2
impl impl
RISK:SG2.SP1 RISK:SG2.SP1
impl impl
RISK:SG2.SP2 RISK:SG2.SP2
CMU/SEI-2011-TR-019 | 55
Measure elapsed time since risk assessment performed elapsed time since business impact analysis performed percentage of assets for which some form of risk assessment has not been performed and documented (per policy or other guideline) within the specified timeframe percentage of services for which some form of risk assessment of associated assets has not been performed and documented (per policy or other guideline) confidence factor that all risks that need to be identified have been identified (refer to template in [Allen 2010]) change in number of identified risks that exceed risk parameters and measurement criteria percentage of risks for which the impact (refer to RISK:SG2.SP2) has not been characterized (qualitative, quantitative) percentage of risks that have not been categorized and prioritized percentage of risks that have been characterized as high impact according to risk parameters (refer to RISK:SG2) percentage of risks that exceed established risk parameters and measurement criteria, by risk category percentage of risks that do not have a documented and approved risk disposition percentage of risks that have not been assigned to a responsible party for action, tracking, and closure percentage of previously identified risks that have converted from any other risk disposition to a risk disposition of mitigate or control percentage of risks with a disposition of mitigate or control that do not have a defined mitigation plan percentage of assets for which a mitigation plan has been implemented to mitigate risks as necessary and to maintain these risks within acceptable risk parameters percentage of services with an implemented mitigation plan percentage of risks with a mitigate or control disposition with mitigations40 that are not yet started
Base vs. Derived base of type schedule base of type schedule derived
asset risk
impl
RISK:SG3.SP1
risk assessment
impl
RISK:SG3.SP1
RISKM15
risk assessment
impl
derived
RISK:SG3.SP2
effectiveness impl
derived
derived
impl
derived
impl
derived
RISK:SG4.SP2
impl
derived
RISK:SG4.SP1
risk valuation; risk categorization risk disposition risk mitigation risk disposition
impl
derived
RISK:SG4.SP1 RISK:SG4.SP2
impl impl
derived derived
RISK:SG4.SP3 RISK:SG5.SP1
impl
derived
RISK:SG4.SP3
RISKM25 RISKM26
risk disposition; risk mitigation risk mitigation; risk status risk mitigation; risk status risk mitigation; risk status
impl
derived
RISK:SG5.SP1
impl
derived
RISK:SG5.SP1 RISK:SG5.SP2
RISKM27 RISKM28
impl
derived
impl
derived
40
CMU/SEI-2011-TR-019 | 56
Measure percentage of risks with a mitigate or control disposition with mitigations that are in progress (vs. completely implemented) percentage of risks with a mitigate or control disposition that are not effectively mitigated by their mitigation plans percentage of open risks that have not been tracked to closure percentage of risks with a disposition of mitigate or control that have a defined mitigation plan but whose status is not regularly reported (per policy or other guideline) percentage of realized risks that exceed established risk parameters41
Type of Information risk mitigation; risk status risk mitigation; risk status risk status risk status
RISK:SG5.SP2 RISK:SG5.SP2
RISKM33
risk status
effectiveness
derived
RISKM34
elapsed time since risks with the following dispositions were last reviewed and disposition confirmed: avoid, accept, monitor, research or defer, transfer
risk status
impl
Resilience Requirement Development (RRD) The purpose of Resilience Requirements Development is to identify, document, and analyze the operational resilience requirements for high-value services and related assets.
Summary of Specific Goals and Practices
RRD:SG1 Identify Enterprise Requirements RRD:SG1.SP1 Establish Enterprise Resilience Requirements RRD:SG2 Develop Service Requirements RRD:SG2.SP1 Establish Asset Resilience Requirements RRD:SG2.SP2 Assign Enterprise Resilience Requirements to Services RRD:SG3 Analyze and Validate Requirements RRD:SG3.SP1 Establish a Definition of Required Functionality RRD:SG3.SP2 Analyze Resilience Requirements RRD:SG3.SP3 Validate Resilience Requirements
Measures
ID RRDM1 RRDM2 Measure percentage of enterprise requirements that have been communicated to all organizational units and lines of business percentage of services with incomplete or no stated requirements Type of Information enterprise requirements service requirements Measure Type impl Base or Derived derived Applicable SG.SP RRD:SG1.SP1
impl
derived
RRD:SG2.SP1 RRD:SG2.SP2
41
May want to specifically categorize by source of realized risk that is of greatest interest such as incidents, control gaps, non-compliance, vulnerabilities, disruptions in continuity, etc.
CMU/SEI-2011-TR-019 | 57
Measure percentage of assets with incomplete or no stated requirements percentage of service owners participating in the development of requirements (should be 100%) percentage of asset owners participating in the development of requirements (should be 100%) percentage of documented requirements that have not been implemented42
Type of Information asset requirements service requirements asset requirements enterprise, service, and asset requirements asset requirements asset requirements
impl
derived
derived
RRDM7 RRDM8
percentage of assets for which the required level of functionality of the asset is not documented for all services it supports percentage of assets with requirements revisions due to: conflicts resulting from associations with multiple services requirements deficiencies enterprise requirements requirements gaps percentage of asset requirements conflicts for which mitigation plans have been developed but not implemented percentage of requirements that have not been analyzed to identify conflicts and interdependencies percentage of requirements whose adequacy has not been validated elapsed time between identification of new assets and the development of requirements for these assets (mean, median) costs of developing, analyzing, validating, documenting, and tracking requirements
derived
RRD:SG3.SP1
impl
derived
RRD:SG3.SP2 RRD:SG3.SP3
asset requirements asset requirements asset requirements asset requirements enterprise, service, and asset requirements service requirements asset requirements
impl
derived
RRD:SG3.SP2
impl
derived
RRD:SG3.SP2
impl impl
impl
RRDM14 RRDM15
percentage of service continuity test failures caused by incorrect or missing requirements percentage of incidents caused by incorrect or missing requirements
effectiveness effectiveness
derived derived
none none
Resilience Requirements Management (RRM) The purpose of Resilience Requirements Management is to manage the resilience requirements of high-value services and associated assets and to identify inconsistencies between these requirements and the activities that the organization performs to meet the requirements.
Summary of Specific Goals and Practices
While included as an RRD measure of interest, implementation of requirements is covered in other PAs (enterprise EF, RISK, etc.; service EF, SC; asset EC, KIM, PM, TM)
CMU/SEI-2011-TR-019 | 58
RRM:SG1.SP2 Obtain Commitment to Resilience Requirements RRM:SG1.SP3 Manage Resilience Requirements Changes RRM:SG1.SP4 Maintain Traceability of Resilience Requirements RRM:SG1.SP5 Identify Inconsistencies Between Resilience Requirements and Activities Performed to Meet the Requirements
Measures
ID RRMM1 RRMM2 Measure percentage of assets for which agreement between asset owners and custodians on asset requirements has not been reached percentage of service level agreements between asset owners and custodians that are pending sign-off due to requirements issues percentage of asset custodians who accept responsibility for implementing requirements, if applicable percentage of documented, agreed-to requirements that have not been implemented43 as scheduled percentage of asset owners participating in managing changes to requirements for the assets they own number of approved requirements changes: by asset category or type by asset by service by change trigger and criteria number of unapproved requirements changes number of approved requirements changes that have not been communicated to asset custodians (via defined channels or SLAs) percentage of requirements change requests whose disposition is pending beyond schedule percentage of approved requirements changes whose implementation is pending beyond schedule percentage of requirements changes that are not subject to the organizations change control process costs of analyzing, managing, documenting, and tracking changes to requirements percentage of requirements that are not traced to a source or origination (documented in the asset profile) Type of Information asset requirements asset requirements Measure Type impl Base or Derived derived Applicable SG.SP RRM:SG1.SP1
impl
derived
RRM:SG1.SP2
RRMM3
asset requirements
impl
derived
RRM:SG1.SP1 RRM:SG1.SP2
impl
derived
none
impl
derived
impl
changes to requirements changes to requirements changes to requirements changes to requirements changes to requirements
effectiveness impl
RRM:SG1.SP3
RRM:SG1.SP3
impl
RRM:SG1.SP3
impl
derived
RRM:SG1.SP3
impl
derived
RRM:SG1.SP3
RRMM12 RRMM13
impl impl
43
While included as an RRM measure of interest, actual implementation of requirements is covered in other PAs (enterprise EF, RISK, etc.; service EF, SC; asset EC, KIM, PM, TM)
CMU/SEI-2011-TR-019 | 59
Measure percentage of resilience activities that are not traced to a requirement number of inconsistencies detected between requirements and the activities in place to satisfy the requirements number of corrective actions to align requirements and the activities required to satisfy them that are open beyond threshold (as scheduled) elapsed time between major updates to assets (such as being associated with a new service) and updates to the requirements for these assets (mean, median)
Type of Information requirements traceability enterprise, service, and asset requirements enterprise, service, and asset requirements asset requirements
Base or Derived derived base of type count base of type count base of type schedule
impl
RRM:SG1.SP5
RRMM17
impl
ADM:SG3.SP2 RRM:SG1.SP3
Resilient Technical Solution Engineering (RTSE) The purpose of Resilient Technical Solution Engineering is to ensure that software and systems are developed to satisfy their resilience requirements.
Summary of Specific Goals and Practices
RTSE:SG1 Establish Guidelines for Resilient Technical Solution Development RTSE:SG1.SP1 Identify General Guidelines RTSE:SG1.SP2 Identify Requirements Guidelines RTSE:SG1.SP3 Identify Architecture and Design Guidelines RTSE:SG1.SP4 Identify Implementation Guidelines RTSE:SG1.SP5 Identify Assembly and Integration Guidelines RTSE:SG2 Develop Resilient Technical Solution Development Plans RTSE:SG2.SP1 Select and Tailor Guidelines RTSE:SG2.SP2 Integrate Selected Guidelines with a Defined Software and System Development Process RTSE:SG3 Execute the Plan RTSE:SG3.SP1 Monitor Execution of the Development Plan RTSE:SG3.SP2 Release Resilient Technical Solutions into Production
Measures
ID RTSEM1 Measure percentage of software assets that have been developed without resilience guidelines, by guideline type: general requirements architecture and design implementation assembly and integration Type of Information resilience guidelines for software development Measure Type impl; possibly effectiveness Base or Derived derived Applicable SG.SP RTSE:SG2.SP1 Could also be mapped to each of the SG1 specific practices
CMU/SEI-2011-TR-019 | 60
ID RTSEM2
Measure percentage of software assets that have been acquired without consideration of resilience guidelines, by guideline type: general requirements architecture and design implementation assembly and integration percentage of software development staff trained in the tailoring and use of resilience guidelines, by guideline type: general requirements architecture and design implementation assembly and integration life-cycle costs associated with implementing each resilience guideline (time, staff resources, and funding, including training) or some meaningful collection of guidelines percentage of resilience requirements not satisfied by a specific software or system asset44 ranked in priority order (refer to RRD) by life-cycle phase percentage of resilience requirements not satisfied by a specific software or system asset, where lack of satisfaction has been identified as a residual risk to be managed number of defects and vulnerabilities above threshold for a specific software or system asset by life-cycle phase number of defects and vulnerabilities above threshold for a specific software or system asset where such defects and vulnerabilities have documented mitigation plans number of defects and vulnerabilities above threshold for a specific software or system asset where such defects and vulnerabilities have been identified as residual risks to be managed number of defects and vulnerabilities above threshold for a specific software or system assets where the presence of such defects and vulnerabilities is a result of not implementing a resilience guideline percentage of software assets for which some form of risk assessment has not been performed and documented (per policy or other resilience guidelines) and within the specified time frame, by life-cycle phase
Applicable SG.SP RTSE:SG2.SP1 Could also be mapped to each of the SG1 specific practices
RTSEM3
derived
RTSEM4
impl
derived
RTSE:SG2.SP1 Could also be mapped to each of the SG1 specific practices RTSE:SG3.SP1 RTSE:SG3.SP2
RTSEM5
resilience requirements
impl
derived
RTSEM6
resilience requirements; risk identification vulnerabilities and defects vulnerabilities and defects
impl
derived
RTSE:SG3.SP1 RTSE:SG3.SP2
RTSEM7 RTSEM8
impl
RTSE:SG3.SP1
impl
RTSE:SG3.SP1
RTSEM9
impl
RTSE:SG3.SP1
RTSEM10
impl
RTSE:SG3.SP1
RTSEM11
asset risk
impl
derived
44
This presumes that criteria for satisfaction are well established, such as evidence associated with one or more assurance cases or the results of specific review milestones or selected test cases.
CMU/SEI-2011-TR-019 | 61
ID RTSEM12
Measure percentage of system assets for which some form of risk assessment has not been performed and documented (per policy or other resilience guidelines) and within the specified time frame, by life-cycle phase number of unauthorized changes to software assets, by life-cycle phase number of unauthorized changes to system assets, by life-cycle phase inspection yield: defects found during the inspection / (defects found during the inspection + those that escaped the inspection) inspection removal rate: effort spent in inspection / number of defects found in inspection planned versus actual number of inspections percentage of software assets released into production without consideration of resilience guidelines percentage of system assets released into production without consideration of resilience guidelines elapsed time between the identification of a newly released software or system asset and its inclusion in the asset inventory number of software and system development risks referred to the risk management process percentage of software and system development policies that are met test defect density (number of vulnerabilities found in test / size of software asset) usage defect density (number of vulnerabilities found while using software or number of incidents that occurred while using software / size of software asset)
impl
RTSE:SG3.SP1
impl
RTSE:SG3.SP1
effectiveness
RTSE:SG3.SP2
inspections
effectiveness impl
derived
RTSE:SG3.SP2
inspections
derived
RTSE:SG3.SP2
resilience guidelines for released software resilience guidelines for released software asset inventory
impl; possibly effectiveness impl; possibly effectiveness impl; possibly effectiveness impl
derived
RTSE:SG3.SP2
derived
RTSE:SG3.SP2
ADM:SG1.SP1
risk identification
RTSE:SG3.SP1
Service Continuity (SC) The purpose of Service Continuity is to ensure the continuity of essential operations of services and related assets if a disruption occurs as a result of an incident, disaster, or other disruptive event.
Summary of Specific Goals and Practices
SC:SG1 Prepare for Service Continuity SC:SG1.SP1 Plan for Service Continuity SC:SG1.SP2 Establish Standards and Guidelines for Service Continuity SC:SG2 Identify and Prioritize High-Value Services
CMU/SEI-2011-TR-019 | 62
SC:SG2.SP1 Identify the Organizations High-Value Services SC:SG2.SP2 Identify Internal and External Dependencies and Interdependencies SC:SG2.SP3 Identify Vital Organizational Records and Databases SC:SG3 Develop Service Continuity Plans SC:SG3.SP1 Identify Plans to Be Developed SC:SG3.SP2 Develop and Document Service Continuity Plans SC:SG3.SP3 Assign Staff to Service Continuity Plans SC:SG3.SP4 Store and Secure Service Continuity Plans SC:SG3.SP5 Develop Service Continuity Plan Training SC:SG4 Validate Service Continuity Plans SC:SG4.SP1 Validate Plans to Requirements and Standards SC:SG4.SP2 Identify and Resolve Plan Conflicts SC:SG5 Exercise Service Continuity Plans SC:SG5.SP1 Develop Testing Program and Standards SC:SG5.SP2 Develop and Document Test Plans SC:SG5.SP3 Exercise Plans SC:SG5.SP4 Evaluate Plan Test Results SC:SG6 Execute Service Continuity Plans SC:SG6.SP1 Execute Plans SC:SG6.SP2 Measure the Effectiveness of the Plans in Operation SC:SG7 Maintain Service Continuity Plans SC:SG7.SP1 Establish Change Criteria SC:SG7.SP2 Maintain Changes to Plans
Measures
ID SC-M1 Measure elapsed time since the organization-wide plan for managing SC and the standards and guidelines for SC were reviewed and updated percentage of unstaffed roles and responsibilities in the organization-wide plan for managing SC percentage of SC guidelines and standards that are more/less stringent than required to meet compliance obligations number of relationships45 (organization-wide, by SC plan) necessary to ensure SC number of points of contact for relationships that require updates elapsed time since review and update of the list of vital organizational records and databases Type of Information SC program Measure Type impl Base or Derived base of type schedule derived Applicable SG.SP SC:SG1.SP1 SC:SG1.SP2 SC:SG1.SP1
SC-M2
SC program
impl
SC-M3
SC program
impl
derived
45
CMU/SEI-2011-TR-019 | 63
ID SC-M7 SC-M8
Measure percentage of SC plans completed number of required SC plans that have not yet been developed (based on high-value services and associated assets that do not have SC plans) percentage of SC plans that are not stored in a central storage system percentage of plans that are dependent on other plans; number of plans on which they are dependent percentage of plans with missing components (designated owner, resources, etc.) percentage of plans without established owners percentage of plans without identified stakeholders number of staff assigned to SC plans that are no longer employed by the organization percentage of defined roles in SC plans that are not assigned to specific staff percentage of defined roles in SC plans for which backup staff are not identified percentage of SC plans that do not meet service and asset resilience requirements percentage of SC plans that do not meet standards and guidelines percentage of staff not covered by a service continuity plan percentage of staff who have not been trained on their roles and responsibilities as defined in SC plans percentage of plans with one or more severe conflicts (such as a single point of failure) that have not been mitigated percentage of SC plans that do not have a schedule for testing and review percentage of SC plans that do not have a test plan percentage of SC test plans that have/have not been exercised percentage of interdependent service continuity plans that have/have not been jointly tested percentage of SC test plans that have failed one or more test objectives percentage of SC plan test objectives (RTOs and RPOs) unmet number of staff with defined roles in SC plans who do not have access to such plans within specified thresholds (time) average time for staff with defined SC plan roles to access SC plans
SC-M9 SCM10 SCM11 SCM12 SCM13 SCM14 SC-M1 SCM15 SCM16 SCM17 SCM18 SCM19 SCM20 SCM21 SCM22 SCM23 SCM24 SCM25 SCM26 SCM27 SCM28
SC plan development SC plan dependencies SC plan omissions SC plan omissions SC plan omissions SC plan omissions SC plan omissions SC plan omissions SC plan omissions SC plan omissions SC plan omissions SC plan training
impl impl
derived derived; base of type count derived derived derived base of type count derived derived derived derived derived derived
SC:SG3.SP4
SC:SG4.SP2 SC:SG3.SP2 SC:SG3.SP2 SC:SG3.SP2 SC:SG3.SP3 SC:SG3.SP3 SC:SG3.SP3 SC:SG4.SP1 SC:SG4.SP1 none SC:SG3.SP5
impl impl impl impl impl impl impl impl impl impl
SC plan conflicts SC plan testing SC plan testing SC plan testing SC plan testing
impl
derived
SC:SG4.SP2
SC plan testing
impl
SC:SG3.SP4 SC:SG5.SP3
CMU/SEI-2011-TR-019 | 64
Measure percentage of realized risks for service continuity that exceed established risk parameters percentage of SC plans executed (never executed) percentage of plans that have not been reviewed post-execution percentage of plans that require changes (as defined by change criteria) percentage of plans that have been changed without authorization percentage of plans that have been changed without review percentage of plans that have been changed without testing frequency of changes to plans by service or service type
SC plan execution SC plan review SC plan changes SC plan changes SC plan changes SC plan changes SC plan changes
base of type count; derived derived derived derived derived derived base of type schedule
SC:SG6.SP1
Technology Management (TM) The purpose of Technology Management is to establish and manage an appropriate level of controls related to the integrity and availability of technology assets to support the resilient operations of organizational services.
Summary of Specific Goals and Practices
TM:SG1 Establish and Prioritize Technology Assets TM:SG1.SP1 Prioritize Technology Assets TM:SG1.SP2 Establish Resilience-Focused Technology Assets TM:SG2 Protect Technology Assets TM:SG2.SP1 Assign Resilience Requirements to Technology Assets TM:SG2.SP2 Establish and Implement Controls TM:SG3 Manage Technology Asset Risk TM:SG3.SP1 Identify and Assess Technology Asset Risk TM:SG3.SP2 Mitigate Technology Risk TM:SG4 Manage Technology Asset Integrity TM:SG4.SP1 Control Access to Technology Assets TM:SG4.SP2 Perform Configuration Management TM:SG4.SP3 Perform Change Control and Management TM:SG4.SP4 Perform Release Management TM:SG5 Manage Technology Asset Availability TM:SG5.SP1 Perform Planning to Sustain Technology Assets TM:SG5.SP2 Manage Technology Asset Maintenance TM:SG5.SP3 Manage Technology Capacity
CMU/SEI-2011-TR-019 | 65
TM-M3
asset inventory
impl
derived
ADM:SG1.SP3
TM-M4
asset inventory
impl
derived
ADM:SG1.SP3
TM-M5
asset inventory
impl
derived
ADM:SG1.SP3
TM-M6
asset inventory
impl
derived
ADM:SG1.SP3
TM-M7
asset inventory
impl
derived
ADM:SG2.SP1
TM-M8
asset inventory
impl
derived
ADM:SG2.SP1
TM-M9
impl
derived
ADM:SG2.SP2
TM-M10
impl
derived
TM-M11
impl
base of type count base of type count base of type count base of type count derived base of type schedule base of type schedule base of type schedule
TM-M12
asset inventory
impl
ADM SG3.SP2
TM-M13
asset change management asset change management asset inventory asset inventory
impl
ADM:SG3.SP2
TM-M14
impl
ADM:SG3.SP2
TM-M15 TM-M16
impl impl
TM-M17
asset inventory
impl
TM-M18
asset inventory
impl
TM:SG1.SP2
CMU/SEI-2011-TR-019 | 66
ID TM-M19 TM-M20
Measure percentage of technology assets without assigned/defined resilience requirements percentage of technology assets with assigned/defined resilience requirements that are undocumented percentage of technology assets that do not satisfy their resilience requirements percentage of technology assets with no or missing protection controls
Type of Information asset requirements asset requirements asset requirement asset controls
TM-M21 TM-M22
impl impl; possibly effectiveness impl; possibly effectiveness impl; possibly effectiveness
derived derived
TM:SG2.SP1 TM:SG2.SP2
TM-M23
asset controls
derived
TM:SG2.SP2
TM-M24
percentage of technology asset controls (protection and sustainment) that are ineffective or inadequate as demonstrated by: unsatisfied control objectives unmet resilience requirements outstanding control assessment problem areas above established thresholds and without remediation plans percentage of technology asset control deficiencies not resolved by scheduled due date (refer to CTRL measures for categories of control deficiencies) elapsed time since review of the effectiveness of technology asset controls elapsed time since risk assessment of technology assets performed elapsed time since business impact analysis of technology assets performed percentage of technology assets for which business impact valuation46 has not been performed percentage of technology assets for which a risk assessment has not been performed and documented (per policy or other guideline) and according to plan percentage of technology asset risks that have not been assigned to a responsible party for action, tracking, and closure percentage of technology asset risks47 with a disposition of mitigate or control that do not have a defined mitigation plan
asset controls
derived
TM:SG2.SP2
TM-M25
asset controls
impl
derived
TM:SG2.SP2
TM-M26
asset controls
impl
base of type schedule base of type schedule base of type schedule derived
TM:SG2.SP2
TM-M27
asset risk
impl
TM:SG3.SP1
TM-M28
asset risk
impl
TM:SG3.SP1
TM-M29
asset risk
impl
TM:SG3.SP1
TM-M30
asset risk
impl
derived
TM-M31
asset risk
impl
derived
TM-M32
asset risk
impl
derived
TM:SG3.SP248
46
Business impact valuation can be either qualitative (high, medium, low) or quantitative (based on levels of loss or damage, fines, number of customers lost, disruption in access, etc.) This measure also appears in RISK M4-1. For ease of use of an individual PA (vs. ease of maintenance and consistency), we have decided to replicate some (but not all) risk-related measures in the individual asset PAs that are identified generally in the list of RISK PA measures. SG3.SP2 subpractice 7 states, Collect performance measures on the risk management process. No such measures are included here in TM; refer to the RISK PA.
47
48
CMU/SEI-2011-TR-019 | 67
ID TM-M33
Measure percentage of technology asset risks with a mitigate or control disposition that are not effectively mitigated by their mitigation plans percentage of realized risks for technology assets that exceed established risk parameters number of violations of access control policies for technology assets percentage of intrusions into digital technology assets where impact exceeds threshold percentage of intrusions into physical technology assets where impact exceeds threshold elapsed time since audit of technology asset modification logs percentage of technology assets for which approved configuration settings have/have not been implemented as required by policy percentage of technology assets with configurations that deviate from approved standards for which exceptions have not been granted elapsed time since review of technology asset configuration control logs elapsed time since audit of technology asset configurations number of unauthorized changes to technology assets (may need to report by some meaningful categorization of assets) change success rate (percentage of changes to technology assets that succeed without causing an incident, service outage, or impairment) percentage of changes that are high-priority, emergency changes percentage of changes that result from deficiencies in resilience requirements elapsed time between: scheduled technology asset configuration updates and actual configuration updates scheduled technology asset changes and actual changes scheduled technology asset releases into production and actual releases percentage of technology assets approved for release into production that have not undergone a security review percentage of technology assets released into production that have not undergone security testing in accordance with policy percentage of technology assets released to production that deviate from approved standards for which exceptions have not been granted
TM-M34
asset risk
TM:SG3.SP2
TM-M35
asset access controls asset intrusions asset intrusions asset access controls asset configuration asset configuration asset configuration asset configuration asset change management asset change management
TM:SG4.SP1
TM-M39
impl
TM:SG4.SP2
TM-M40
impl
derived
TM:SG4.SP2
TM-M41
impl
base of type schedule base of type schedule base of type count derived
TM:SG4.SP2
TM-M42
impl
TM:SG4.SP2
TM-M43
impl
TM:SG4.SP3
TM-M44
impl
TM:SG4.SP3
asset change management asst change management asset configuration, change, and release management
TM-M48
impl
derived
TM:SG4.SP4
TM-M49
impl
derived
TM:SG4.SP4
TM-M50
impl
derived
TM:SG4.SP4
CMU/SEI-2011-TR-019 | 68
Measure percentage of technology assets without availability metrics percentage of technology assets without recovery time objectives (RTO) percentage of technology assets without recovery point objectives (RPO) number of technology assets that do not have their own service continuity plan where one is required percentage of external entities that are not meeting service level agreements for technology assets subject to external entity services elapsed time since technology asset maintenance performed number of scheduled maintenance activities that exceed recommended service intervals number of scheduled maintenance activities that do not meet recommended specifications number of maintenance changes that were made without following change management procedures number of technology assets requiring capacity management for which no forecast or strategy exists elapsed time since the capacity management strategy for technology assets has been validated and updated elapsed time since the technology asset interoperability strategy has been reviewed
Type of Information asset sustainment asset sustainment asset sustainment asset sustainment asset sustainment asset maintenance asset maintenance asset maintenance asset maintenance asset capacity
TM-M55
impl
none
TM-M56
impl
base of type schedule base of type count base of type count base of type count base of type count base of type schedule base of type schedule
TM:SG5.SP2
TM-M57
impl
TM:SG5.SP2
TM-M58
impl
TM:SG5.SP2
TM-M59
impl
TM:SG5.SP2
TM-M60
impl
TM:SG5.SP3
TM-M61
asset capacity
impl
TM:SG5.SP3
TM-M62
asset capacity
impl
TM:SG5.SP4
Vulnerability Analysis and Resolution (VAR) The purpose of Vulnerability Analysis and Resolution is to identify, analyze, and manage vulnerabilities in an organizations operating environment.
Summary of Specific Goals and Practices
VAR:SG1 Prepare for Vulnerability Analysis and Resolution VAR:SG1.SP1 Establish Scope VAR:SG1.SP2 Establish a Vulnerability Analysis and Resolution Strategy VAR:SG2 Identify and Analyze Vulnerabilities VAR:SG2.SP1 Identify Sources of Vulnerability Information VAR:SG2.SP2 Discover Vulnerabilities VAR:SG2.SP3 Analyze Vulnerabilities VAR:SG3 Manage Exposure to Vulnerabilities VAR:SG3.SP1 Manage Exposure to Vulnerabilities
CMU/SEI-2011-TR-019 | 69
vul monitoring
impl
derived
impl impl
derived derived
VARM5 VARM6 VARM7 VARM8 VARM9 VARM10 VARM11 VARM12 VARM13 VARM14 VARM15
vul resolution
impl
derived
VAR:SG3.SP1
impl impl
derived base of type count base of type count base of type count base of type schedule base of type count derived
VAR:SG4.SP1 VAR:SG4.SP1
impl
none
impl
none
effectiveness impl
VAR:GG2.GP7
VAR:SG2.SP3
process performance
none
CMU/SEI-2011-TR-019 | 70
References
[Allen 2010] Allen, Julia & Davis, Noopur. Measuring Operational Resilience Using the CERT Resilience Management Model (CMU/SEI-2010-TN-030). Software Engineering Institute, Carnegie Mellon University, September 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tn030.cfm [Caralli 2010] Caralli, Richard A.; Allen, Julia H.; Curtis, Pamela D.; White, David W.; & Young, Lisa R. CERT Resilience Management Model, v1.0 (CMU/SEI-2010-TR-012). Software Engineering Institute, Carnegie Mellon University, 2010. http://www.sei.cmu.edu/library/abstracts/reports/10tr012.cfm [Caralli 2011] Caralli, Richard A.; Allen, Julia H.; & White, David W. CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience. Addison-Wesley, 2011.
CMU/SEI-2011-TR-019 | 71
CMU/SEI-2011-TR-019 | 72
Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project (0704-0188), Washington, DC 20503.
1.
2.
REPORT DATE
3.
(Leave Blank) 4. 6. 7.
TITLE AND SUBTITLE
July 2011 5.
Final
FUNDING NUMBERS
FA8721-05-C-0003
8.
HQ ESC/XPK 5 Eglin Street Hanscom AFB, MA 01731-2116 11. SUPPLEMENTARY NOTES 12A DISTRIBUTION/AVAILABILITY STATEMENT Unclassified/Unlimited, DTIC, NTIS 13. ABSTRACT (MAXIMUM 200 WORDS)
ESC-TR-2011-019
How resilient is my organization? Have our processes made us more resilient? Members of the CERT Resilient Enterprise Management (REM) team are conducting research to address these and other related questions. The teams first report, Measuring Operational Resilience Using the CERT Resilience Management Model, defined high-level objectives for managing an operational resilience management (ORM) system, demonstrated how to derive meaningful measures from those objectives, and presented a template for defining resilience measures, along with example measures. In this report, REM team members suggest a set of top ten strategic measures for managing operational resilience. These measures derive from high-level objectives of the ORM system defined in the CERT Resilience Management Model, Version 1.1 (CERT-RMM). The report also provides measures for each of the 26 process areas of CERT-RMM, as well as a set of global measures that apply to all process areas. This report thus serves as an addendum to CERT-RMM Version 1.1. Since CERT-RMM practices map to bodies of knowledge and codes of practice such as ITIL, COBIT, ISO2700x, BS25999, and PCI DSS, the measures may be useful for measuring security, business continuity, and IT operations management processes, either as part of adoption of CERT-RMM or independent of it. 14. SUBJECT TERMS Resilience management, risk, measure, measurement, enterprise security management, strategic planning, information security, risk management, operational risk management, process improvement, resilience, operational resilience, CERT-RMM 16. PRICE CODE 17. SECURITY CLASSIFICATION OF
REPORT
20. LIMITATION OF
ABSTRACT
Unclassified
NSN 7540-01-280-5500
Unclassified
Unclassified
UL
Standard Form 298 (Rev. 2-89) Prescribed by ANSI Std. Z39-18 298-102